Edit tour

Windows Analysis Report
quHmbPnLFV.exe

Overview

General Information

Sample name:	quHmbPnLFV.exe renamed because original name is a hash value
Original sample name:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa.exe
Analysis ID:	1582216
MD5:	e4a3903deccb9128673c052ca0a31080
SHA1:	326c8a7f863a9a7c3f6135a6a916168bea68b1be
SHA256:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GhostRat

AI detected suspicious sample

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

quHmbPnLFV.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\quHmbPnLFV.exe" MD5: E4A3903DECCB9128673C052CA0A31080)

WerFault.exe (PID: 7472 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 1356 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: quHmbPnLFV.exe PID: 7296	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: quHmbPnLFV.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665B43FB0 CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,

0_2_00007FF665B43FB0

Source: quHmbPnLFV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665BB0B00 FindFirstFileW,FindClose,

0_2_00007FF665BB0B00

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 206.238.220.204:6666

Source: unknown	DNS traffic detected: query: 53.210.109.20.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD1750 select,recv,

0_2_000001FE8FAD1750

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FADC1B0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,lstrlenW,wsprintfW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

0_2_000001FE8FADC1B0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

0_2_000001FE8FADC1B0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD8FC0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

0_2_000001FE8FAD8FC0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAF80B8 DirectInput8Create,

0_2_000001FE8FAF80B8

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665BB1B50: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00007FF665BB1B50

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD8A2D ExitWindowsEx,	0_2_000001FE8FAD8A2D
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD8997 GetModuleFileNameW,GetCommandLineW,GetStartupInfoW,CreateProcessW,ExitProcess,ExitProcess,ExitWindowsEx,	0_2_000001FE8FAD8997
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD8A4E ExitWindowsEx,	0_2_000001FE8FAD8A4E

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD14F0	0_2_000001FE8FAD14F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD2B00	0_2_000001FE8FAD2B00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE21F0	0_2_000001FE8FAE21F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAF3A24	0_2_000001FE8FAF3A24
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD5A10	0_2_000001FE8FAD5A10
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAED160	0_2_000001FE8FAED160
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADC1B0	0_2_000001FE8FADC1B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD98D0	0_2_000001FE8FAD98D0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAEC7E0	0_2_000001FE8FAEC7E0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD8FC0	0_2_000001FE8FAD8FC0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD5820	0_2_000001FE8FAD5820
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAF6770	0_2_000001FE8FAF6770
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE7F58	0_2_000001FE8FAE7F58
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADF650	0_2_000001FE8FADF650
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADBDD0	0_2_000001FE8FADBDD0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAEFD10	0_2_000001FE8FAEFD10
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAEEC80	0_2_000001FE8FAEEC80
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADB480	0_2_000001FE8FADB480
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADCBF0	0_2_000001FE8FADCBF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAF5378	0_2_000001FE8FAF5378
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD9B40	0_2_000001FE8FAD9B40
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE7B8C	0_2_000001FE8FAE7B8C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD62F0	0_2_000001FE8FAD62F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE8B00	0_2_000001FE8FAE8B00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD3A60	0_2_000001FE8FAD3A60
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAF4288	0_2_000001FE8FAF4288
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD5280	0_2_000001FE8FAD5280
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B44610	0_2_00007FF665B44610
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C2D588	0_2_00007FF665C2D588
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C32934	0_2_00007FF665C32934
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C38770	0_2_00007FF665C38770
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B6B240	0_2_00007FF665B6B240
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B761B0	0_2_00007FF665B761B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C2A144	0_2_00007FF665C2A144
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B98500	0_2_00007FF665B98500
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C2A3D8	0_2_00007FF665C2A3D8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B633A0	0_2_00007FF665B633A0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C33340	0_2_00007FF665C33340
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B5FE70	0_2_00007FF665B5FE70
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B80050	0_2_00007FF665B80050
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C30ACC	0_2_00007FF665C30ACC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C3A9D8	0_2_00007FF665C3A9D8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B5B9B0	0_2_00007FF665B5B9B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B80970	0_2_00007FF665B80970
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B72C00	0_2_00007FF665B72C00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665BC6BF0	0_2_00007FF665BC6BF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C25BE4	0_2_00007FF665C25BE4
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C38B9C	0_2_00007FF665C38B9C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665BB1B50	0_2_00007FF665BB1B50
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665B60B50	0_2_00007FF665B60B50
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400041B0	0_2_00000001400041B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400014F0	0_2_00000001400014F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001BFE8	0_2_000000014001BFE8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001D06C	0_2_000000014001D06C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140005100	0_2_0000000140005100
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400101E0	0_2_00000001400101E0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140003310	0_2_0000000140003310
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140007B60	0_2_0000000140007B60
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000F38C	0_2_000000014000F38C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140002D20	0_2_0000000140002D20
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001364C	0_2_000000014001364C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001A698	0_2_000000014001A698
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400166B0	0_2_00000001400166B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000F6D4	0_2_000000014000F6D4
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001AEFC	0_2_000000014001AEFC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000A700	0_2_000000014000A700
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140013FCC	0_2_0000000140013FCC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA9F121	0_2_000001FE8FA9F121
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA9B8A1	0_2_000001FE8FA9B8A1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA90FC1	0_2_000001FE8FA90FC1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAAE751	0_2_000001FE8FAAE751
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA9AF51	0_2_000001FE8FA9AF51
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA9C6C1	0_2_000001FE8FA9C6C1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAA765D	0_2_000001FE8FAA765D
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA925D1	0_2_000001FE8FA925D1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA94D51	0_2_000001FE8FA94D51
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA954E1	0_2_000001FE8FA954E1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA93531	0_2_000001FE8FA93531
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA993A1	0_2_000001FE8FA993A1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FA98A91	0_2_000001FE8FA98A91

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: String function: 00007FF665B4D680 appears 62 times

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 1356

Source: quHmbPnLFV.exe

Binary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs

Source: classification engine

Classification label: mal76.troj.evad.winEXE@2/6@2/2

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665B49F50 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF665B49F50

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD51C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_000001FE8FAD51C0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD5040 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	0_2_000001FE8FAD5040
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAD56A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_000001FE8FAD56A0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4770 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,swprintf,swprintf,

0_2_000001FE8FAD4770

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD3970 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_000001FE8FAD3970

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4B60 lstrlenW,CoInitialize,CoInitializeEx,CoCreateInstance,swprintf,

0_2_000001FE8FAD4B60

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024. 9. 2

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7d97e41a-8ac5-4559-9f11-f770fd602ba3

Jump to behavior

Source: quHmbPnLFV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: quHmbPnLFV.exe

Virustotal: Detection: 11%

Source: quHmbPnLFV.exe	String found in binary or memory: Africa/Addis_Ababa
Source: quHmbPnLFV.exe	String found in binary or memory: in-addr.arpa
Source: quHmbPnLFV.exe	String found in binary or memory: gaviika.notattoofg.itkonan.shiga.jpoff.aicountrydevrn.itsamukawa.kanagawa.jpbaiduport.frcarbonia-iglesias.itmiyoshi.tokushima.jptabuse.yamaguchi.jpsosnowiec.pladultin-addr.arpagran.nogob.paserveftp.orghidaka.hokkaido.jpnesseby.nosatosho.okayama.jpgob.peflightsandriabarlettatrani.itnagato.yamaguchi.jphostnes.akershus.nogob.pkdvrdns.orgmiyota.nagano.jpembroidery.museumkarasjohka.nofrom-ky.comtrieste.itashoro.hokkaido.jpdealersaigawa.fukuoka.jpspiegelatlanta.museumromskog.nol

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File read: C:\Users\user\Desktop\quHmbPnLFV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\quHmbPnLFV.exe "C:\Users\user\Desktop\quHmbPnLFV.exe"
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 1356

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32

Jump to behavior

Source: quHmbPnLFV.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: quHmbPnLFV.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: quHmbPnLFV.exe

Static file information: File size 2835456 > 1048576

Source: quHmbPnLFV.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x104c00
Source: quHmbPnLFV.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x171600

Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: quHmbPnLFV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: quHmbPnLFV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4D10 LoadLibraryW,GetProcAddress,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_000001FE8FAD4D10

Source: quHmbPnLFV.exe

Static PE information: section name: .gehcont

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAF89D8 push rbp; retf

0_2_000001FE8FAF8A04

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD8933 OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_000001FE8FAD8933

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: C:\Program Files\VMware\VMware Tools\ VMware

0_2_000001FE8FAD4F20

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-75680

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-76403

Source: C:\Users\user\Desktop\quHmbPnLFV.exe TID: 7316	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe TID: 7388	Thread sleep time: -50000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665BB0B00 FindFirstFileW,FindClose,

0_2_00007FF665BB0B00

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4900 RegOpenKeyExW,RegQueryValueExW,lstrcmpW,RegQueryValueExW,lstrcpyW,RegQueryValueExW,GetSystemInfo,wsprintfW,lstrcpyW,lstrcpyW,RegCloseKey,RegCloseKey,

0_2_000001FE8FAD4900

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: quHmbPnLFV.exe, 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware\VMware Tools\
Source: quHmbPnLFV.exe, 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ~/%s%d/None/%sHDD:%dWW %d Gb Free %d Gb Mem: %d Gb %sFree%d Gb %s-%d8herrorDriverDescSYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000%s >fX[:%d MGetNativeSystemInfontdll.dllRtlGetNtVersionNumbers%d.%d.%dSOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameC:\Program Files\VMware\VMware Tools\VMwareSeDebugPrivilegeNtSetInformationProcessNtDll.dllWindows\System32\svchost.exe%s%sOpenProcessKernel32.dllExitProcessWinExecWaitForSingleObjectwininet.dllInternetOpenWMSIE 6.0InternetOpenUrlWInternetReadFileInternetCloseHandleinvalid string positionstring too long
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: quHmbPnLFV.exe, 00000000.00000002.1939782639.000001FE8DBC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	API call chain: ExitProcess graph end node			graph_0-75573
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	API call chain: ExitProcess graph end node			graph_0-75944

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAE6968 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000001FE8FAE6968

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4D10 LoadLibraryW,GetProcAddress,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_000001FE8FAD4D10

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD41F0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_000001FE8FAD41F0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE6968 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000001FE8FAE6968
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE3A20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000001FE8FAE3A20
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FADB480 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,Sleep,EnumWindows,Sleep,EnumWindows,CreateEventA,Sleep,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,	0_2_000001FE8FADB480
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAF8270 SetUnhandledExceptionFilter,	0_2_000001FE8FAF8270
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C27648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF665C27648
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF665C2160C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF665C2160C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400041B0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00000001400041B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000E2F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014000E2F8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400112FC SetUnhandledExceptionFilter,	0_2_00000001400112FC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000BF30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014000BF30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD5A10 GetSystemDirectoryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,

0_2_000001FE8FAD5A10

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD5280 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_000001FE8FAD5280

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_000001FE8FAD5280

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAD4140 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000001FE8FAD4140

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetSystemInfo,wsprintfW,GetLocalTime,wsprintfW,GetLocaleInfoW,EnumDisplayMonitors,swprintf,swprintf,lstrcatW,GetSystemDirectoryW,GetCurrentHwProfileW,

0_2_000001FE8FAD2B00

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FADB9A0 Sleep,SleepEx,GetLocalTime,wsprintfW,Sleep,SleepEx,EnumWindows,Sleep,EnumWindows,Sleep,SleepEx,CreateEventA,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,

0_2_000001FE8FADB9A0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF665C2A144 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF665C2A144

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_000001FE8FAE95AC HeapCreate,GetVersion,HeapSetInformation,

0_2_000001FE8FAE95AC

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: quHmbPnLFV.exe	Binary or memory string: acs.exe
Source: quHmbPnLFV.exe	Binary or memory string: kxetray.exe
Source: quHmbPnLFV.exe	Binary or memory string: avcenter.exe
Source: quHmbPnLFV.exe	Binary or memory string: vsserv.exe
Source: quHmbPnLFV.exe	Binary or memory string: KSafeTray.exe
Source: quHmbPnLFV.exe	Binary or memory string: cfp.exe
Source: quHmbPnLFV.exe	Binary or memory string: avp.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360Safe.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360tray.exe
Source: quHmbPnLFV.exe	Binary or memory string: rtvscan.exe
Source: quHmbPnLFV.exe	Binary or memory string: ashDisp.exe
Source: quHmbPnLFV.exe	Binary or memory string: TMBMSRV.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360Tray.exe
Source: quHmbPnLFV.exe	Binary or memory string: avgwdsvc.exe
Source: quHmbPnLFV.exe	Binary or memory string: AYAgent.aye
Source: quHmbPnLFV.exe	Binary or memory string: RavMonD.exe
Source: quHmbPnLFV.exe	Binary or memory string: QUHLPSVC.EXE
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe
Source: quHmbPnLFV.exe	Binary or memory string: Mcshield.exe
Source: quHmbPnLFV.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: quHmbPnLFV.exe PID: 7296, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: quHmbPnLFV.exe PID: 7296, type: MEMORYSTR

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000001FE8FAE0EF0 htons,bind,		0_2_000001FE8FAE0EF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140009400 htons,bind,		0_2_0000000140009400

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	17 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Indicator Removal	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
quHmbPnLFV.exe	11%	Virustotal		Browse
quHmbPnLFV.exe	8%	ReversingLabs	Win64.Malware.Generic

Name	IP	Active	Malicious	Antivirus Detection	Reputation
53.210.109.20.in-addr.arpa	unknown	unknown	false		high
15.164.165.52.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.220.204	unknown	United States		174	COGENT-174US	false

Private

IP
192.168.1.2

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582216
Start date and time:	2024-12-30 03:52:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	quHmbPnLFV.exe renamed because original name is a hash value
Original Sample Name:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@2/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 76 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.32.134, 172.202.163.200, 52.165.164.15, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
21:53:02	API Interceptor	2x Sleep call for process: quHmbPnLFV.exe modified
21:53:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	154.44.130.212
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	154.22.1.136
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	38.237.101.164
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	38.142.152.46
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	38.53.96.152
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	38.34.88.62
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	206.42.118.144
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	38.168.204.186
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	38.236.228.40
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	38.59.110.247

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_quHmbPnLFV.exe_ff65ec9a547faaab72fb38c58ef38a8d91f5916e_af65133f_54b19cd4-1e5b-4af4-9f7a-9955a068d1c9\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0638486583563953
Encrypted:	false
SSDEEP:	192:WvtC5y4MZ90hT88SjjZtXpZFQ2wzuiFIZ24lO8Q:Ityy4MAho8SjZwzuiFIY4lO8Q
MD5:	49E8B3AD565EE084CA35201B4D3755AA
SHA1:	AE76A61A490B02B69833C967E07AD93905679267
SHA-256:	0B5EA97498F11AB44937CFC6E053F27626CF6BEC95CA386168388B2F19602DA4
SHA-512:	EB33682BF09D54A9A4BB44050C712382BDF00D5C56CEE0C30E49AD71DE3570561547442E467F0A56537D8DE2B1D6423E6A7C294C58A4A7C489A4AE12A170DCBC
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.0.0.7.8.8.5.0.4.6.5.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.0.0.7.8.8.9.8.2.6.6.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.4.b.1.9.c.d.4.-.1.e.5.b.-.4.a.f.4.-.9.f.7.a.-.9.9.5.5.a.0.6.8.d.1.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.8.1.9.3.f.a.-.c.a.3.1.-.4.f.2.2.-.a.a.8.f.-.d.2.3.6.0.c.7.4.7.2.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.q.u.H.m.b.P.n.L.F.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.4.-.3.2.2.9.-.2.8.f.0.6.5.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.5.5.3.d.3.c.5.e.c.0.1.a.7.5.9.a.9.0.a.0.b.8.3.3.3.d.0.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.3.2.6.c.8.a.7.f.8.6.3.a.9.a.7.c.3.f.6.1.3.5.a.6.a.9.1.6.1.6.8.b.e.a.6.8.b.1.b.e.!.q.u.H.m.b.P.n.L.F.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.2.:.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC782.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Dec 30 02:53:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	220222
Entropy (8bit):	1.8055964783384484
Encrypted:	false
SSDEEP:	1536:uirqwi/Lk6aaRyF2ESnPVXszKvrADuGFJm+QdeOJdmd/L8uJO8QA+Ka2RDHC4jPL:TYA6aapmLs
MD5:	807F73A2A0EBC986329EF5DC408C8167
SHA1:	7EF948D92646B2FBC8ABE662A7310F88AF94FA57
SHA-256:	223D1A23416AC4F61460F8DEC9236E5ABCE859D7C27767BF17491130DE7B8881
SHA-512:	0F4998D96F0DFAC4C37BB90B9EC0E322AE92BF8669DD91B33D69133D39A3935CB8E75D98DBAB3EDF134FD52A266D11F7756E2E7354CCD3C7F60AD7CF82E9A614
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........rg............t.......................$....$...........$......................l.......8...........T............4...'..........dB..........PD..............................................................................eJ.......D......Lw......................T.............rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC88D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8870
Entropy (8bit):	3.7048037031152967
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6grC6Y9LNMJgmfyUJxnprD89b6S9fGvem:R6lXJ1+6YRNMJgmfy4464fGP
MD5:	4D325254DCCA7AD423F156A459BA46F6
SHA1:	BC8453D8568DE59454996F5B1664943B08D1040B
SHA-256:	32DBA8F5D3FC5D123348EBE08F3373C50AAC85476748F1AD19250F3541101C72
SHA-512:	E407C43C6CAE315B394A1F117A90A8D89DDAD7A72B01D4520FE8F77F083549E2C2B0D9365EE83D05A1F87AD7B35DF021F7DD8CCD0831B7726C98ABF753E3392E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8AD.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4796
Entropy (8bit):	4.486279002934917
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I97gWpW8VY2Ym8M4JTwFFzyq8v0d2b/Ed:uIjfZI78Z7V6JT6WI2jEd
MD5:	55DA29C5D67596F13D0CDDD8A17B5E3E
SHA1:	0E4CFD138B78282E49B241A8B5ADFC1DD1C4C5C3
SHA-256:	17D3E04F1F1FA61A0157BE52D8108384C89C039BFABF9C0962A9F0EBDF243086
SHA-512:	549906F3C8D0F76978057C26B30C22536BF0226D9D9F7B6F716965D8391DD950CAF870128D689E3479AD78110A28326E3097AA9D23F0912D9750F9D24536DE17
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653395" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\quHmbPnLFV.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4656056293489925
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uN+dwBCswSbt:zXD944WlLZMM6YFHw+t
MD5:	1248E6A028A4476BC60FA0DC6BC646E9
SHA1:	10F7D744A5EC44B78A20E6A291FC8B76E813200D
SHA-256:	6973B189D5BFEA3CD6EA6C59CFA7E8367558E55CB5C7FA5CF405B39DEAFAEEF3
SHA-512:	15293B7912B2735C38C96FEDE18D973BD8239EFD1A77DA925FBC138BF42C2314AE0B1B2AD712A8D0AE4B9E59BA5C6FE21B3CA593C509AFC92534158739F9D5C4
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb...eZ...............................................................................................................................................................................................................................................................................................................................................3..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.639658770449267
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	quHmbPnLFV.exe
File size:	2'835'456 bytes
MD5:	e4a3903deccb9128673c052ca0a31080
SHA1:	326c8a7f863a9a7c3f6135a6a916168bea68b1be
SHA256:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa
SHA512:	ab8b0f92a863c348c6819ba0f7cbc0b7d3669118c9646b239e542cc82768c7685e4326cb113561de23bf5aba5d539be3fdab6c212794ba4894011c40022bcbb2
SSDEEP:	49152:nKAtKQ+IgK2jItFcJsv6tWKFdu9C4FwPg0u7vTPQnWCLZgZ3YPmWjZ5RPpA4Jtuv:n9BFcJsv6tWKFdu9C9yvSWkUh
TLSH:	07D57B06B7A54164E9F7C13D49A3D296E6727C868B229ADF126CBB1D3D332F0193B311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............r...r...r.......r......<r.......r.......r.......r...,...r...,...r.......r.......r.......r...r..^r..;....r..;....r..;....r.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400e0cd4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D63D8D [Mon Sep 2 22:34:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ec2055fdb052a446adb6979fb0ed0eab

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCC1C7EE860h
dec eax
add esp, 28h
jmp 00007FCC1C7EDB07h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007FCC1C7EDCA1h
dec eax
mov ecx, ebx
call 00007FCC1C7FD98Ah
test eax, eax
je 00007FCC1C7EDCA5h
dec eax
mov ecx, ebx
call 00007FCC1C7F45CEh
dec eax
test eax, eax
je 00007FCC1C7EDC79h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007FCC1C7EDC98h
call 00007FCC1C7EEC40h
int3
call 00007FCC1C7EEC5Ah
int3
jmp 00007FCC1C72B91Ch
int3
int3
int3
jmp 00007FCC1C7EDC4Ch
int3
int3
int3
dec eax
sub esp, 28h
call 00007FCC1C7EEDDCh
test eax, eax
je 00007FCC1C7EDCB3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FCC1C7EDC97h
dec eax
cmp ecx, eax
je 00007FCC1C7EDCA6h
xor eax, eax
dec eax
cmpxchg dword ptr [001CAC78h], ecx
jne 00007FCC1C7EDC80h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FCC1C7EDC89h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [001CAC63h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [001CAC53h], al
call 00007FCC1C7EEC0Bh
call 00007FCC1C7F01AAh
test al, al
jne 00007FCC1C7EDC96h

Rich Headers

Programming Language:

[ C ] VS2015 UPD3.1 build 24215
[C++] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x275bc0	0x428	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x275fe8	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2ba000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2ad000	0xb874	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2bb000	0x1738	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2558d0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x255a10	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x255910	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x106000	0x5f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104afb	0x104c00	c84d40d1f469072f57a689e738938f87	False	0.4515520134228188	data	6.42377635279018	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x106000	0x171426	0x171600	b3565b4a69ad63ff5f0bccae2be1aeb9	False	0.4485690302453469	data	6.12092587750584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x278000	0x34cf8	0x30600	eaf56cb727f7c173a8525299caf11fab	False	0.9167877906976745	data	7.769789455373511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2ad000	0xb874	0xba00	cf779a23130b6ed874a178e9a6439f89	False	0.49380460349462363	data	6.05031206526366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gehcont	0x2b9000	0x14	0x200	0b1a7acc4da92921e25ea6fbe01d58f0	False	0.048828125	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2ba000	0x2f0	0x400	0bb6439b754faf94f529f9817d706a2f	False	0.4033203125	data	4.3014032271203595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2bb000	0x1738	0x1800	b78a8906569a1ced329731d1563785d5	False	0.3839518229166667	data	5.389524742252251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2ba060	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5500770416024653

Imports

DLL	Import
KERNEL32.dll	IsBadReadPtr, FreeLibrary, GetModuleHandleW, GetCommandLineW, GetCurrentProcessId, LocalFree, VerSetConditionMask, GetLastError, GetVersionExW, FormatMessageW, VerifyVersionInfoW, OutputDebugStringW, GetConsoleWindow, CompareStringW, GetUserDefaultLCID, GetStartupInfoW, GetModuleFileNameW, SetEvent, WaitForSingleObject, CreateEventW, DuplicateHandle, WaitForMultipleObjects, GetCurrentProcess, CreateThread, GetCurrentThread, GetCurrentThreadId, SetThreadPriority, GetThreadPriority, TerminateThread, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemInfo, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount, WaitForSingleObjectEx, GetSystemDirectoryW, LoadLibraryW, GetSystemTime, GetLocalTime, CreateFileW, GetFileAttributesExW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, GetFileAttributesW, GetFileInformationByHandle, GetFullPathNameW, GetLogicalDrives, GetLongPathNameW, RemoveDirectoryW, GetTempPathW, SetErrorMode, DeviceIoControl, CopyFileW, MoveFileW, GetProcessHeap, FileTimeToSystemTime, FlushFileBuffers, GetFileType, ReadFile, SetEndOfFile, SetFilePointerEx, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, MoveFileExW, ResetEvent, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, GetCurrencyFormatW, GetUserDefaultUILanguage, MultiByteToWideChar, WideCharToMultiByte, FindFirstFileExW, FindNextFileW, GetTimeZoneInformation, GetGeoInfoW, GetUserGeoID, ReleaseMutex, CreateMutexW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, RtlPcToFileHeader, RaiseException, EncodePointer, LoadLibraryExW, GetCommandLineA, ExitProcess, GetModuleHandleExW, ExitThread, FreeLibraryAndExitThread, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, SetFileAttributesW, SetStdHandle, GetStdHandle, LCMapStringW, HeapReAlloc, SetEnvironmentVariableW, GetCPInfo, GetFileSizeEx, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, WriteConsoleW, HeapSize, GetProcAddress, HeapAlloc, GetNativeSystemInfo, LoadLibraryA, VirtualAlloc, VirtualFree, SetLastError, HeapFree, VirtualProtect, SystemTimeToTzSpecificLocalTime, CloseHandle
ADVAPI32.dll	OpenProcessToken, FreeSid, GetLengthSid, GetTokenInformation, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, CopySid, RegQueryInfoKeyW, RegQueryValueExW, CryptDestroyKey, CryptReleaseContext, CryptDestroyHash, CryptHashData, CryptDeriveKey, CryptCreateHash, CryptDecrypt, CryptAcquireContextW
WS2_32.dll	WSAAsyncSelect
USER32.dll	CharNextExA, CallNextHookEx, KillTimer, SetTimer, MsgWaitForMultipleObjectsEx, GetQueueStatus, UnhookWindowsHookEx, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, PostMessageW, PeekMessageW, DispatchMessageW, TranslateMessage, SetWindowLongPtrW, SetWindowsHookExW, DestroyWindow, GetWindowLongPtrW
SHELL32.dll	SHGetSpecialFolderPathW
ole32.dll	CoCreateInstance, CoTaskMemFree, CoInitialize, CoUninitialize

Exports

Name	Ordinal	Address
z_adler32	1	0x1400aab20
z_adler32_combine	2	0x1400aae00
z_adler32_combine64	3	0x1400aae00
z_compress	4	0x140049aa0
z_compress2	5	0x140049ac0
z_compressBound	6	0x140049b70
z_crc32	7	0x1400ab2f0
z_crc32_combine	8	0x1400ab300
z_crc32_combine64	9	0x1400ab300
z_deflate	10	0x140090200
z_deflateBound	11	0x140090b00
z_deflateCopy	12	0x140090c10
z_deflateEnd	13	0x140090e80
z_deflateInit2_	14	0x140090f60
z_deflateInit_	15	0x1400911f0
z_deflateParams	16	0x140091230
z_deflatePrime	17	0x140091350
z_deflateReset	18	0x140091390
z_deflateSetDictionary	19	0x1400914f0
z_deflateSetHeader	20	0x140091640
z_deflateTune	21	0x140091670
z_get_crc_table	22	0x1400ab310
z_inflate	23	0x140091830
z_inflateCopy	24	0x140093010
z_inflateEnd	25	0x140093250
z_inflateGetHeader	26	0x1400932b0
z_inflateInit2_	27	0x1400932e0
z_inflateInit_	28	0x1400933d0
z_inflateMark	29	0x1400933e0
z_inflatePrime	30	0x140093440
z_inflateReset	31	0x1400934a0
z_inflateReset2	32	0x140093520
z_inflateSetDictionary	33	0x1400935d0
z_inflateSync	34	0x1400936c0
z_inflateSyncPoint	35	0x140093820
z_inflateUndermine	36	0x140093850
z_uncompress	37	0x140049b90
z_zError	38	0x1400ab320
z_zlibCompileFlags	39	0x1400ab360
z_zlibVersion	40	0x1400ab370

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:53:03.690155983 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:03.695087910 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:03.695177078 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:03.748889923 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:03.753824949 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.577349901 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.577734947 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:04.582643032 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.582654953 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.582665920 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890492916 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890505075 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890515089 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890520096 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890531063 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:04.890671015 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:04.890671015 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.107920885 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.107929945 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.107958078 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108041048 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108051062 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108061075 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108071089 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108072042 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.108113050 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.108113050 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.108783960 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108809948 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.108844042 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.109081984 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.109092951 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.109143019 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.326191902 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326217890 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326229095 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326241016 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326251984 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326282978 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.326333046 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.326579094 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326596975 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326620102 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.326967955 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326980114 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.326991081 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.327001095 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.327011108 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.327013016 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.327037096 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.327050924 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.327755928 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.327766895 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.327811956 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.544492006 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544521093 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544562101 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544598103 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544645071 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544680119 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.544733047 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.544733047 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.544733047 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.545099020 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545150042 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545160055 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545171022 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545206070 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.545206070 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.545728922 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545741081 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545751095 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545761108 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545770884 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.545783043 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.545819044 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.546498060 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546509027 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546519995 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546535969 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546549082 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546554089 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.546560049 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.546575069 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.546607971 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.592695951 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.762554884 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762612104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762629986 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762640953 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762646914 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762659073 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762671947 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762684107 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.762705088 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.762743950 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.763077974 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763089895 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763102055 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763124943 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.763288021 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763329983 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.763396978 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763408899 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763420105 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763432026 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763441086 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.763456106 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763468027 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763470888 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.763480902 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.763508081 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.764234066 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.764256954 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.764271975 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.764277935 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.764286995 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.764305115 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.764321089 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.764347076 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.980581999 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980612993 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980639935 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980652094 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980663061 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980680943 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.980686903 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.980731964 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.980776072 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.980983973 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981015921 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981029987 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981040955 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981057882 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981057882 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981070995 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981076002 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981096029 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981106043 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981120110 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981138945 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981154919 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981163025 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981192112 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981893063 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981910944 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981923103 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981934071 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981945992 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981956959 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981967926 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981970072 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981981039 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.981992006 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.981992960 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.982006073 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:05.982016087 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.982036114 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.982059956 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:05.982795000 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.024820089 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.068715096 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.120726109 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.198615074 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198628902 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198638916 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198652983 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198662996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198673010 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198682070 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198690891 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198695898 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198700905 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198705912 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198736906 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.198786974 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.198987007 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.198997974 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199013948 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199023008 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199029922 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199042082 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199053049 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199054956 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199064016 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199074030 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199081898 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199090004 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199093103 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199117899 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199834108 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199845076 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199853897 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199863911 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199877977 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199887991 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199892998 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199898958 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199909925 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199919939 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199928999 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199937105 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199937105 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199939013 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.199959040 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.199994087 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.200699091 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200710058 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200733900 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200743914 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200753927 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200763941 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200766087 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.200773954 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.200788021 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.200819016 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.245773077 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.416953087 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.416964054 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.416974068 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.416984081 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417032003 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417049885 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417074919 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417087078 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417108059 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417148113 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417156935 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417166948 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417190075 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417231083 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417259932 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417293072 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417344093 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417357922 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417378902 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417555094 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417565107 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417576075 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417587042 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417589903 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417602062 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417612076 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417612076 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417646885 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417809963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417819977 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417829990 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417839050 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417844057 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417866945 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417870998 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417881966 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417890072 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417901993 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417912960 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.417927027 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417938948 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.417952061 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418611050 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418621063 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418631077 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418641090 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418648958 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418651104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418662071 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418672085 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418673992 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418682098 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418692112 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418706894 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418715000 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418719053 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418729067 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418739080 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418740034 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418751955 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.418761015 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418772936 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.418790102 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.419380903 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419394016 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419404030 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419421911 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419430971 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419433117 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.419442892 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419451952 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.419457912 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.419481993 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.505074024 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.547677040 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634555101 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634567976 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634607077 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634620905 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634624004 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634630919 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634677887 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634685993 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634732008 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634776115 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634785891 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634793997 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634803057 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634838104 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634875059 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634892941 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.634968996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634984970 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.634996891 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635006905 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635013103 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635020971 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635031939 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635035038 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635046005 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635066986 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635097027 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635274887 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635365963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635377884 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635389090 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635399103 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635409117 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635418892 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635422945 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635430098 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635442019 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635472059 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635472059 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635675907 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635762930 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635772943 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635785103 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635801077 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635808945 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635809898 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635821104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:06.635839939 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.635874987 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:06.641503096 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:08.660057068 CET	49731	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:08.664908886 CET	6666	49731	206.238.220.204	192.168.2.4
Dec 30, 2024 03:53:08.665003061 CET	49731	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:53:28.815361977 CET	49731	6666	192.168.2.4	206.238.220.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:53:03.689090967 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:03.689136028 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:03.709846973 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:03.768805027 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:03.823962927 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:03.922703028 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.032711983 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.162782907 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.302726030 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.482729912 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.672723055 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:04.883706093 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:05.102711916 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:05.343707085 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:05.612725019 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:05.902717113 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:06.234829903 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:06.569778919 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:06.918720961 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:07.289746046 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:07.668859959 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.080200911 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.518815041 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.711647034 CET	50367	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.801759958 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.801811934 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.832591057 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.879992008 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:08.996959925 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:09.088485003 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:09.249202013 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:26.706147909 CET	50368	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:53:32.634351969 CET	53	57738	162.159.36.2	192.168.2.4
Dec 30, 2024 03:53:33.071273088 CET	59974	53	192.168.2.4	1.1.1.1
Dec 30, 2024 03:53:33.078438997 CET	53	59974	1.1.1.1	192.168.2.4
Dec 30, 2024 03:53:34.279934883 CET	49224	53	192.168.2.4	1.1.1.1
Dec 30, 2024 03:53:34.288836956 CET	53	49224	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 30, 2024 03:53:33.071273088 CET	192.168.2.4	1.1.1.1	0x10e1	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Dec 30, 2024 03:53:34.279934883 CET	192.168.2.4	1.1.1.1	0xeb4c	Standard query (0)	53.210.109.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 03:53:33.078438997 CET	1.1.1.1	192.168.2.4	0x10e1	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Dec 30, 2024 03:53:34.288836956 CET	1.1.1.1	192.168.2.4	0xeb4c	Name error (3)	53.210.109.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	21:53:00
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\quHmbPnLFV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\quHmbPnLFV.exe"
Imagebase:	0x7ff665b40000
File size:	2'835'456 bytes
MD5 hash:	E4A3903DECCB9128673C052CA0A31080
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:53:08
Start date:	29/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7296 -s 1356
Imagebase:	0x7ff6498d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	65.2%
Signature Coverage:	19.1%
Total number of Nodes:	1660
Total number of Limit Nodes:	85

Executed Functions

Function 000001FE8FAD2B00 Relevance: 77.4, APIs: 30, Strings: 14, Instructions: 365
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

gethostname.WS2_32 ref: 000001FE8FAD2BB5
gethostbyname.WS2_32 ref: 000001FE8FAD2BC2
inet_ntoa.WS2_32 ref: 000001FE8FAD2BE0

Part of subcall function 000001FE8FAE45FC: _errno.LIBCMT ref: 000001FE8FAE461A
Part of subcall function 000001FE8FAE45FC: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE4626

Part of subcall function 000001FE8FAE45FC: _errno.LIBCMT ref: 000001FE8FAE4668

inet_ntoa.WS2_32 ref: 000001FE8FAD2C3B
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD2C98
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD2CBA
GetLastInputInfo.USER32 ref: 000001FE8FAD2CCD
GetTickCount.KERNEL32 ref: 000001FE8FAD2CD3
wsprintfW.USER32 ref: 000001FE8FAD2D07
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD2D26
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD2D4B
GetSystemInfo.KERNEL32 ref: 000001FE8FAD2D83
wsprintfW.USER32 ref: 000001FE8FAD2D9B
GetForegroundWindow.USER32 ref: 000001FE8FAD2DB9
GetWindowTextW.USER32 ref: 000001FE8FAD2DD4
lstrlenW.KERNEL32 ref: 000001FE8FAD2DE1
lstrlenW.KERNEL32 ref: 000001FE8FAD2E5D
GetModuleHandleW.KERNEL32 ref: 000001FE8FAD2ECA
GetProcAddress.KERNEL32 ref: 000001FE8FAD2EDA
GetSystemInfo.KERNEL32 ref: 000001FE8FAD2EEE
wsprintfW.USER32 ref: 000001FE8FAD2F37
GetLocalTime.KERNEL32 ref: 000001FE8FAD2FD0
wsprintfW.USER32 ref: 000001FE8FAD301C
GetLocaleInfoW.KERNEL32 ref: 000001FE8FAD3037
EnumDisplayMonitors.USER32 ref: 000001FE8FAD306D
swprintf.LIBCMT ref: 000001FE8FAD3097
swprintf.LIBCMT ref: 000001FE8FAD3107
lstrcatW.KERNEL32 ref: 000001FE8FAD3123
GetSystemDirectoryW.KERNEL32 ref: 000001FE8FAD3135
GetCurrentHwProfileW.ADVAPI32 ref: 000001FE8FAD313F

Strings

1.0, xrefs: 000001FE8FAD2E45
x86, xrefs: 000001FE8FAD2F1E
REMARK, xrefs: 000001FE8FAD2E6A
GetNativeSystemInfo, xrefs: 000001FE8FAD2ED0
Network, xrefs: 000001FE8FAD2DEE
x64, xrefs: 000001FE8FAD2F15
2024. 9. 2, xrefs: 000001FE8FAD2E8D
kernel32.dll, xrefs: 000001FE8FAD2EA7
AppEvents, xrefs: 000001FE8FAD2DE7
Run:%s Con:%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 000001FE8FAD3015
>f:yhV:, xrefs: 000001FE8FAD311C
%d min, xrefs: 000001FE8FAD2D00
GROUP, xrefs: 000001FE8FAD2DFF
X64 %s, xrefs: 000001FE8FAD2F30

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharInfoMultiWidewsprintf$System$Window_errnoinet_ntoalstrlenswprintf$AddressCountCurrentDirectoryDisplayEnumForegroundHandleInputLastLocalLocaleModuleMonitorsProcProfileTextTickTime_invalid_parameter_noinfogethostbynamegethostnamelstrcatmalloc
String ID: %d min$1.0$2024. 9. 2$>f:yhV:$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$Run:%s Con:%4d.%2d.%2d-%2d:%2d:%2d$X64 %s$kernel32.dll$x64$x86
API String ID: 3092165503-1594994734
Opcode ID: 6f9a26f35435b5e38f586dea0dd05bdbbb2e27cbbf1188ae0f7fa3827131af10
Instruction ID: 429fea298dce1b84a952d30ef6383a8d3e0da74f6edc15be503b50ba607ff936
Opcode Fuzzy Hash: 6f9a26f35435b5e38f586dea0dd05bdbbb2e27cbbf1188ae0f7fa3827131af10
Instruction Fuzzy Hash: A702A436200BC296EB20EF61E8447EA77E0F7447A8F904266DB5E576B5DF38C64AC740

Function 000001FE8FADB9A0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
sleepsynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 000001FE8FADB9F4
GetLocalTime.KERNEL32 ref: 000001FE8FADB9FF
wsprintfW.USER32 ref: 000001FE8FADBA45
Sleep.KERNEL32 ref: 000001FE8FADBAD7
EnumWindows.USER32 ref: 000001FE8FADBAEE
Sleep.KERNEL32 ref: 000001FE8FADBB05
EnumWindows.USER32 ref: 000001FE8FADBB1C
Sleep.KERNEL32 ref: 000001FE8FADBB2E
CreateEventA.KERNEL32 ref: 000001FE8FADBB94
CloseHandle.KERNEL32 ref: 000001FE8FADBC21

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

Sleep.KERNEL32 ref: 000001FE8FADBC5F
WaitForSingleObject.KERNEL32 ref: 000001FE8FADBC83
CloseHandle.KERNEL32 ref: 000001FE8FADBC8C
CloseHandle.KERNEL32 ref: 000001FE8FADBC9D
WaitForSingleObject.KERNEL32 ref: 000001FE8FADBCB7
CloseHandle.KERNEL32 ref: 000001FE8FADBCC0
CloseHandle.KERNEL32 ref: 000001FE8FADBCD1

Strings

6341, xrefs: 000001FE8FADBB37, 000001FE8FADBB61
192.168.1.2, xrefs: 000001FE8FADBB46, 000001FE8FADBBB5
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 000001FE8FADBA37

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventLocalTimemallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$192.168.1.2$6341
API String ID: 2252640433-291747511
Opcode ID: e11e14edb89984939ee2fba468cc7826a2202fde34ed19499967ef9fe7804308
Instruction ID: 8c1606e782706e0927ed71dbea0b70106a8976eb55918ad51e8da492ec53f680
Opcode Fuzzy Hash: e11e14edb89984939ee2fba468cc7826a2202fde34ed19499967ef9fe7804308
Instruction Fuzzy Hash: 68916A72204A8286EB24BF25E8507FE77E0F785BE4F504265DB8A4BAB4DF38C546C740

Function 00007FF665B44610 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 354
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF665B44648
GetProcAddress.KERNEL32 ref: 00007FF665B44658
SetLastError.KERNEL32 ref: 00007FF665B446A7
GetNativeSystemInfo.KERNELBASE ref: 00007FF665B4472D
VirtualAlloc.KERNELBASE ref: 00007FF665B44779
VirtualAlloc.KERNEL32 ref: 00007FF665B44796
SetLastError.KERNEL32 ref: 00007FF665B447A7
GetProcessHeap.KERNEL32 ref: 00007FF665B447BC
HeapAlloc.KERNEL32 ref: 00007FF665B447CE
VirtualFree.KERNEL32 ref: 00007FF665B447EC
SetLastError.KERNEL32 ref: 00007FF665B447F5
SetLastError.KERNEL32 ref: 00007FF665B44866

Part of subcall function 00007FF665B44B90: GetProcessHeap.KERNEL32(?,?,?,00007FF665B44874), ref: 00007FF665B44C34
Part of subcall function 00007FF665B44B90: HeapFree.KERNEL32(?,?,?,00007FF665B44874), ref: 00007FF665B44C42

VirtualAlloc.KERNELBASE ref: 00007FF665B448CA
VirtualAlloc.KERNELBASE ref: 00007FF665B4498D
RtlAddFunctionTable.KERNEL32 ref: 00007FF665B44B1C
SetLastError.KERNEL32 ref: 00007FF665B44B77

Strings

RtlAddFunctionTable, xrefs: 00007FF665B44651
ntdll, xrefs: 00007FF665B44641

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AllocErrorLastVirtual$Heap$FreeProcess$AddressFunctionHandleInfoModuleNativeProcSystemTable
String ID: RtlAddFunctionTable$ntdll
API String ID: 1700573182-1103699993
Opcode ID: 1198e67249c0b7e84dde9154b3b4e9c9355052bda3a350e5c94f78a972d0fa75
Instruction ID: aa0a6f233529620cc722009a057f98c944196e638f9b54405c6e7a291f4c52b2
Opcode Fuzzy Hash: 1198e67249c0b7e84dde9154b3b4e9c9355052bda3a350e5c94f78a972d0fa75
Instruction Fuzzy Hash: 93F10A32A09A42C6EB648F16E46177973B1FB49F84F444139DA8E8B798EF3DE855C700

Function 000001FE8FAD4900 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD496B
RegQueryValueExW.ADVAPI32 ref: 000001FE8FAD49DC
lstrcmpW.KERNEL32 ref: 000001FE8FAD49F9
RegCloseKey.ADVAPI32 ref: 000001FE8FAD4B23
RegCloseKey.ADVAPI32 ref: 000001FE8FAD4B2E

Strings

error, xrefs: 000001FE8FAD4B12
%s-%d, xrefs: 000001FE8FAD4AE2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID: %s-%d$error
API String ID: 4288439342-992067998
Opcode ID: 339020dc813d921992459e6716a65cd383114c8633f93e4cc4539f4e2fb5fbc3
Instruction ID: 2e6781875911672bde0c156df7814767ee8bf7d887f8bb34026b01f7eddf801b
Opcode Fuzzy Hash: 339020dc813d921992459e6716a65cd383114c8633f93e4cc4539f4e2fb5fbc3
Instruction Fuzzy Hash: 53513431315AC282EBA0AB11F494BEB63E4F784BD5F505271EB8987AB4DF38C556CB00

Function 00007FF665B43FB0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF665B43FE9
CryptAcquireContextW.ADVAPI32 ref: 00007FF665B4400C
CryptCreateHash.ADVAPI32 ref: 00007FF665B4403F
CryptHashData.ADVAPI32 ref: 00007FF665B4405B
CryptDeriveKey.ADVAPI32 ref: 00007FF665B44081
CryptDecrypt.ADVAPI32 ref: 00007FF665B440AD
CryptDestroyKey.ADVAPI32 ref: 00007FF665B440B7
CryptDestroyHash.ADVAPI32 ref: 00007FF665B440C1
CryptReleaseContext.ADVAPI32 ref: 00007FF665B440CD
CloseHandle.KERNEL32 ref: 00007FF665B440DA
CloseHandle.KERNEL32 ref: 00007FF665B440E7

Strings

2b134t52mhhbGaN4, xrefs: 00007FF665B4404D
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FF665B43FD0, 00007FF665B43FFF
Error creating a keyset!, xrefs: 00007FF665B44016

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Crypt$ContextHash$AcquireCloseDestroyHandle$CreateDataDecryptDeriveRelease
String ID: 2b134t52mhhbGaN4$Error creating a keyset!$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3666277636-84394693
Opcode ID: f172555bccba036a97b3cd1372cebb2be6ca885063ea5db245dcb55184fec282
Instruction ID: f8c200430ea3a714b2a41c7600a546a2d14bcffeac726977d6edf308be553ead
Opcode Fuzzy Hash: f172555bccba036a97b3cd1372cebb2be6ca885063ea5db245dcb55184fec282
Instruction Fuzzy Hash: F4414A32B04A52C5F720CF61E856AB933B1FB88B58B404235D95E9BBA8DF3CD949C704

Function 000001FE8FAD4D10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 000001FE8FAD4D25
GetProcAddress.KERNEL32 ref: 000001FE8FAD4D41
swprintf.LIBCMT ref: 000001FE8FAD4DA1

Part of subcall function 000001FE8FAE3DE8: _vswprintf_s_l.LIBCMT ref: 000001FE8FAE3E02

Part of subcall function 000001FE8FAD4C90: GetModuleHandleW.KERNEL32 ref: 000001FE8FAD4CBB
Part of subcall function 000001FE8FAD4C90: GetProcAddress.KERNEL32 ref: 000001FE8FAD4CCB
Part of subcall function 000001FE8FAD4C90: GetNativeSystemInfo.KERNELBASE ref: 000001FE8FAD4CDB

RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD4E07
RegQueryValueExW.ADVAPI32 ref: 000001FE8FAD4E32
RegCloseKey.ADVAPI32 ref: 000001FE8FAD4E57
FreeLibrary.KERNEL32 ref: 000001FE8FAD4E6D

Strings

%d.%d.%d, xrefs: 000001FE8FAD4D86
RtlGetNtVersionNumbers, xrefs: 000001FE8FAD4D37
ntdll.dll, xrefs: 000001FE8FAD4D1B
ProductName, xrefs: 000001FE8FAD4E1E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 000001FE8FAD4DE6

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValue_vswprintf_s_lswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1494749741-3190923360
Opcode ID: 63a278c1726442162d98cc2237712d9ccc026d0492f426b623a28aeacd60e9e6
Instruction ID: f31d641789857ebd4976b49026e3df6267a8fe587f58213e11c0ef7d3088fd6f
Opcode Fuzzy Hash: 63a278c1726442162d98cc2237712d9ccc026d0492f426b623a28aeacd60e9e6
Instruction Fuzzy Hash: FA315E36215BC296EA60AB11E4507E973A0FB85FE4F444361EF9A57BA8DF38C516CB00

Function 000001FE8FAD14F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 000001FE8FAD1526
timeGetTime.WINMM ref: 000001FE8FAD1535
socket.WS2_32 ref: 000001FE8FAD156D
lstrlenW.KERNEL32 ref: 000001FE8FAD159A
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAD15BE
lstrlenW.KERNEL32 ref: 000001FE8FAD15D8
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAD15FB
gethostbyname.WS2_32 ref: 000001FE8FAD1608
htons.WS2_32 ref: 000001FE8FAD1630
connect.WS2_32 ref: 000001FE8FAD165A

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID:
API String ID: 950253168-0
Opcode ID: e4f1b628e603b8c0e271cec45e5bcd3519c32228a8b6efe7a25591412e67fb9e
Instruction ID: ed47b133812dd781fefe460404a514a0b40200c84aacb472891bc64b054dfc42
Opcode Fuzzy Hash: e4f1b628e603b8c0e271cec45e5bcd3519c32228a8b6efe7a25591412e67fb9e
Instruction Fuzzy Hash: D1511B36204B8186DB60DF65F4407AAB7E4F789BA4F104229EB9A57B74DF3CD0469B00

Function 00000001400014F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 0000000140001526
timeGetTime.WINMM ref: 0000000140001535
socket.WS2_32 ref: 000000014000156D
lstrlenW.KERNEL32 ref: 000000014000159A
WideCharToMultiByte.KERNEL32 ref: 00000001400015BE
lstrlenW.KERNEL32 ref: 00000001400015D8
WideCharToMultiByte.KERNEL32 ref: 00000001400015FB
gethostbyname.WS2_32 ref: 0000000140001608
htons.WS2_32 ref: 0000000140001630
connect.WS2_32 ref: 000000014000165A

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID:
API String ID: 950253168-0
Opcode ID: 6be368349b335f687857114e3581a3aed3ff549df64c905fc01b56a36ba75a01
Instruction ID: e00b2aa1afe8dc942cd989892e5c322118a8095490c56380a45fdb8c14d7f693
Opcode Fuzzy Hash: 6be368349b335f687857114e3581a3aed3ff549df64c905fc01b56a36ba75a01
Instruction Fuzzy Hash: 76512A72204B8087DB65CF66F8407AAB7A4F789B98F004219EB9E57B65DF3DC149DB00

Function 00000001400041B0 Relevance: 16.5, APIs: 11, Instructions: 43
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400041BD
GetConsoleWindow.KERNEL32 ref: 00000001400041C3
ShowWindow.USER32 ref: 00000001400041CE
GetCurrentThreadId.KERNEL32 ref: 00000001400041D4
PostThreadMessageA.USER32 ref: 00000001400041E4
GetInputState.USER32 ref: 00000001400041EA
CreateThread.KERNELBASE ref: 000000014000420E
CreateThread.KERNELBASE ref: 0000000140004232
WaitForSingleObject.KERNEL32 ref: 0000000140004242
CloseHandle.KERNEL32 ref: 000000014000424F
Sleep.KERNEL32 ref: 000000014000425A

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$CreateWindow$CloseConsoleCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 1785272045-0
Opcode ID: ee474838568d569156a9ab4685564af73a3dd786a2dd2134ad0acab19430d296
Instruction ID: fe11c5c89b342f1589b79449597d4b3e4c24726e3e961e716cd572b682034483
Opcode Fuzzy Hash: ee474838568d569156a9ab4685564af73a3dd786a2dd2134ad0acab19430d296
Instruction Fuzzy Hash: 52111575610A0082F717DB72FC697EA33A2BB8C795F44412ABB5A4B671CF3985899200

Function 000001FE8FAD4770 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNEL32 ref: 000001FE8FAD47DA
GetDiskFreeSpaceExW.KERNEL32 ref: 000001FE8FAD47FE
GlobalMemoryStatusEx.KERNEL32 ref: 000001FE8FAD4865
swprintf.LIBCMT ref: 000001FE8FAD48A2
swprintf.LIBCMT ref: 000001FE8FAD48BE

Strings

HDD:%d, xrefs: 000001FE8FAD4879
:, xrefs: 000001FE8FAD47BE
@, xrefs: 000001FE8FAD482E
%sFree%d Gb , xrefs: 000001FE8FAD48A7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 2105347210-3501811827
Opcode ID: 921d8f27bbcfc5cac4d84ec7f6df4691689466164058b9f85b3ed9747272aa44
Instruction ID: d5cb8dfea97e23ebff8790d1277cc878c118b0d51b949dbe91249d175ad44430
Opcode Fuzzy Hash: 921d8f27bbcfc5cac4d84ec7f6df4691689466164058b9f85b3ed9747272aa44
Instruction Fuzzy Hash: 2D314836608BC586E760EF16B84079BB7A4F389794F901226EBCD43B29DF39C556CB00

Function 000001FE8FAD4B60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63comstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000001FE8FAD4B86

Part of subcall function 000001FE8FAD4900: RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD496B
Part of subcall function 000001FE8FAD4900: RegCloseKey.ADVAPI32 ref: 000001FE8FAD4B23
Part of subcall function 000001FE8FAD4900: RegCloseKey.ADVAPI32 ref: 000001FE8FAD4B2E

CoInitialize.OLE32 ref: 000001FE8FAD4BB8
CoCreateInstance.OLE32 ref: 000001FE8FAD4BDC
swprintf.LIBCMT ref: 000001FE8FAD4C6A

Strings

%s , xrefs: 000001FE8FAD4C31
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000, xrefs: 000001FE8FAD4B9B
DriverDesc, xrefs: 000001FE8FAD4B94

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Close$CreateInitializeInstanceOpenlstrlenswprintf
String ID: %s $DriverDesc$SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
API String ID: 900129089-2074342395
Opcode ID: 414001dd6f4b59178dfbdb8a04c3b81a196c16d8098a2c073610e78b58e0a71d
Instruction ID: b7dd906dde1eadeb58f75accb662451bdfd556c31a4431f292fb692660d8fd05
Opcode Fuzzy Hash: 414001dd6f4b59178dfbdb8a04c3b81a196c16d8098a2c073610e78b58e0a71d
Instruction Fuzzy Hash: F1216F36224A8A83EB11EF25E4457D977A0F7C8B95F805222EB4E47764DF39C90ACB00

Function 000001FE8FAE6968 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000001FE8FAE69D5
RtlLookupFunctionEntry.KERNEL32 ref: 000001FE8FAE69ED
RtlVirtualUnwind.KERNEL32 ref: 000001FE8FAE6A27
IsDebuggerPresent.KERNEL32 ref: 000001FE8FAE6A5D
SetUnhandledExceptionFilter.KERNEL32 ref: 000001FE8FAE6A67
UnhandledExceptionFilter.KERNEL32 ref: 000001FE8FAE6A72

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 14f04c64a592990b04a434c863bea14f9e693fb1411986df20686f0e1fcf2037
Instruction ID: 26dd35d8292e17f3a1a80a383d0c12133b572318fe7e3146576035a2fd5506be
Opcode Fuzzy Hash: 14f04c64a592990b04a434c863bea14f9e693fb1411986df20686f0e1fcf2037
Instruction Fuzzy Hash: 5F314D32214F8186DB60DB25E8507EE73E4F7887A4F540265EB9D47BA9EF38C546CB00

Function 000001FE8FAE95AC Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000001FE8FAE95C2
GetVersion.KERNEL32 ref: 000001FE8FAE95D4
HeapSetInformation.KERNEL32 ref: 000001FE8FAE95F2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 2da6a33331be37aea9e041944a378e02ae9d1d2031e246c02c7f00763c845b9d
Instruction ID: 9762234abf56566a40acbb21629f865e49837f74366e360dbcd12cc7b60ef2a7
Opcode Fuzzy Hash: 2da6a33331be37aea9e041944a378e02ae9d1d2031e246c02c7f00763c845b9d
Instruction Fuzzy Hash: 4FE03974211AC282EB84BB54A859BE92294F7883E2F900564EA0A026A4EF38804B8610

Function 000001FE8FAD1750 Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

select.WS2_32 ref: 000001FE8FAD17E5
recv.WS2_32 ref: 000001FE8FAD1807

Part of subcall function 000001FE8FAD1BC0: VirtualAlloc.KERNEL32 ref: 000001FE8FAD1D4E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AllocVirtualmallocrecvselect
String ID:
API String ID: 1241053632-0
Opcode ID: a988ccf7a066a7ec199917bd5ea2c0e45977bb7d9429f392867354966ccba78a
Instruction ID: da906946f811fe3034de1551e16bdf189c9d97e0d602735662b5d46e6c8cd5bf
Opcode Fuzzy Hash: a988ccf7a066a7ec199917bd5ea2c0e45977bb7d9429f392867354966ccba78a
Instruction Fuzzy Hash: E3218B72714AC181EB71AB25E5543BE67E1F789BE8F404275DB8A87BA9DF38C0468700

Function 000001FE8FAD3830 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 70
synchronizationsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 000001FE8FAD3854
CreateMutexExW.KERNELBASE ref: 000001FE8FAD385A
Sleep.KERNEL32 ref: 000001FE8FAD3875
CreateMutexW.KERNEL32 ref: 000001FE8FAD3886
GetLastError.KERNEL32 ref: 000001FE8FAD388C
lstrlenW.KERNEL32 ref: 000001FE8FAD38C5
lstrcmpW.KERNEL32 ref: 000001FE8FAD3902
Sleep.KERNEL32 ref: 000001FE8FAD3911
GetModuleHandleW.KERNEL32 ref: 000001FE8FAD3922
GetConsoleWindow.KERNEL32 ref: 000001FE8FAD392D

Strings

key, xrefs: 000001FE8FAD38D7
open, xrefs: 000001FE8FAD38D0
2024. 9. 2, xrefs: 000001FE8FAD3849, 000001FE8FAD387B

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateMutex$Sleep$ConsoleErrorHandleLastModuleWindowlstrcmplstrlen
String ID: 2024. 9. 2$key$open
API String ID: 4141083079-93764921
Opcode ID: 66d0600071f0f3915794d2991b8f21b3d63c5bbc832a269f4ff7be3149a67255
Instruction ID: d5a63bec561d879295f4e84790fbbc96d57bab469218344727215ff51fdcece3
Opcode Fuzzy Hash: 66d0600071f0f3915794d2991b8f21b3d63c5bbc832a269f4ff7be3149a67255
Instruction Fuzzy Hash: 60312935210AC382FB54BB21E8647FA23E1FB847A4F9443B5E74A4A6B5DF39C50AC740

Function 0000000140003AC0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000000140003B10
SleepEx.KERNELBASE ref: 0000000140003B45
SleepEx.KERNELBASE ref: 0000000140003CB4
CreateEventA.KERNEL32 ref: 0000000140003D0B
SleepEx.KERNELBASE ref: 0000000140003D4F
CloseHandle.KERNELBASE ref: 0000000140003D8E

Strings

8888, xrefs: 0000000140003BA7
6666, xrefs: 0000000140003B86, 0000000140003BB3, 0000000140003C19, 0000000140003CBD
206.238.220.204, xrefs: 0000000140003B5E, 0000000140003C01, 0000000140003CCC
206.238.220.204, xrefs: 0000000140003B9B
206.238.220.204, xrefs: 0000000140003B6E
6666, xrefs: 0000000140003B7A

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Sleep$CloseCreateEventHandle
String ID: 206.238.220.204$206.238.220.204$206.238.220.204$6666$6666$8888
API String ID: 1603472376-913434440
Opcode ID: a0f3fcac8467a186e70fc3d0f1e9634cb6668e8e39ecb6f8bf227a2d123b2ab3
Instruction ID: f9672b19bd4d940d0eafbb644b3287daaa15567fe727fe739266967074bb03a5
Opcode Fuzzy Hash: a0f3fcac8467a186e70fc3d0f1e9634cb6668e8e39ecb6f8bf227a2d123b2ab3
Instruction Fuzzy Hash: B2812475220A4086E713DB66E854BE977A5F78DBC4F80412AFB1A47AF1CF38C945C740

Function 000001FE8FAE0FD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32 ref: 000001FE8FAE0FF8
connect.WS2_32 ref: 000001FE8FAE101D
WSAGetLastError.WS2_32 ref: 000001FE8FAE102C
connect.WS2_32 ref: 000001FE8FAE1067
WSAEventSelect.WS2_32 ref: 000001FE8FAE1080
SetLastError.KERNEL32 ref: 000001FE8FAE109B
GetLastError.KERNEL32 ref: 000001FE8FAE10B3
WSASetLastError.WS2_32 ref: 000001FE8FAE10C5
send.WS2_32 ref: 000001FE8FAE10E9
WSAGetLastError.WS2_32 ref: 000001FE8FAE10F4

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 000001FE8FAE1108

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$EventSelectconnect$send
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1826129850-4236689219
Opcode ID: dcf0498b7daf1886a9e955b361d597334a96f5170af3cf8f91b6c37e3f771d0e
Instruction ID: 4a2788d7c579988a2cf66795f4b4f92f396d46f87ab15a38d39c27d1577bcaad
Opcode Fuzzy Hash: dcf0498b7daf1886a9e955b361d597334a96f5170af3cf8f91b6c37e3f771d0e
Instruction Fuzzy Hash: 6231753131099282EBA0AF66E5947A923E0F748BF0F504775DB5987AF4DF79C8978700

Function 00000001400094E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32 ref: 0000000140009508
connect.WS2_32 ref: 000000014000952D
WSAGetLastError.WS2_32 ref: 000000014000953C
connect.WS2_32 ref: 0000000140009577
WSAEventSelect.WS2_32 ref: 0000000140009590
SetLastError.KERNEL32 ref: 00000001400095AB
GetLastError.KERNEL32 ref: 00000001400095C3
WSASetLastError.WS2_32 ref: 00000001400095D5
send.WS2_32 ref: 00000001400095F9
WSAGetLastError.WS2_32 ref: 0000000140009604

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 0000000140009618

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$EventSelectconnect$send
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1826129850-4236689219
Opcode ID: 139d6e0b11e75e2d957019177b71ab07b7833485f606efeb0368cc19468fda0d
Instruction ID: 99e2289132232311c34ceb59dbb758c0b81f7082a8ce3018f105167220c7fc9e
Opcode Fuzzy Hash: 139d6e0b11e75e2d957019177b71ab07b7833485f606efeb0368cc19468fda0d
Instruction Fuzzy Hash: 22316171714A1082FBA2DB67E8957A92260FB4CBE4F500624EB1D87AF0CF79C8D59700

Function 00007FF665B49920 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF665B499E8
GetProcAddress.KERNEL32 ref: 00007FF665B49A2F
GetProcAddress.KERNEL32 ref: 00007FF665B49A72
GetFileVersionInfoSizeExW.KERNELBASE ref: 00007FF665B49AC1
GetFileVersionInfoW.KERNELBASE ref: 00007FF665B49AE8

Strings

VerQueryValueW, xrefs: 00007FF665B49A25
GetFileVersionInfoSizeW, xrefs: 00007FF665B499DE
GetFileVersionInfoW, xrefs: 00007FF665B49A68

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$FileInfoVersion$Size
String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW
API String ID: 2598009218-981298171
Opcode ID: efbc4de875c51c5db1a2f3792e47a6250654341176fabd58788366e8468207f5
Instruction ID: f3472d5887935b2a9dbb74b1273dbb18f07282c16cae14f2efe9160f38c73f4c
Opcode Fuzzy Hash: efbc4de875c51c5db1a2f3792e47a6250654341176fabd58788366e8468207f5
Instruction Fuzzy Hash: FC716022B09A52CAFB60CF65D5622BD23B0AB49F98F444135ED4E9B799DE38DD06C340

Function 000001FE8FAE1A60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE13F0: EnterCriticalSection.KERNEL32 ref: 000001FE8FAE141E
Part of subcall function 000001FE8FAE13F0: LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE1472

send.WS2_32 ref: 000001FE8FAE1AC3
EnterCriticalSection.KERNEL32 ref: 000001FE8FAE1AD6
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE1AE9
SetLastError.KERNEL32 ref: 000001FE8FAE1AF1
WSAGetLastError.WS2_32 ref: 000001FE8FAE1B6E
EnterCriticalSection.KERNEL32 ref: 000001FE8FAE1B82
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE1BC8

Strings

<C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!, xrefs: 000001FE8FAE1B14

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast$send
String ID: <C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!
API String ID: 484515946-1981346945
Opcode ID: 3feb2db3476dfe5488b86a50e82330a31573681218d9595143e5917083d90cfd
Instruction ID: 9d51d9839f57b3090a93184d24b1d6a4a86d3322c67346e1047a5db010c6b810
Opcode Fuzzy Hash: 3feb2db3476dfe5488b86a50e82330a31573681218d9595143e5917083d90cfd
Instruction Fuzzy Hash: 33516132205F9282EBA4AB25E5503FEB3E0F7487E0F540265DB9A47BA1EF38D056C700

Function 0000000140009F70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009900: EnterCriticalSection.KERNEL32 ref: 000000014000992E
Part of subcall function 0000000140009900: LeaveCriticalSection.KERNEL32 ref: 0000000140009982

send.WS2_32 ref: 0000000140009FD3
EnterCriticalSection.KERNEL32 ref: 0000000140009FE6
LeaveCriticalSection.KERNEL32 ref: 0000000140009FF9
SetLastError.KERNEL32 ref: 000000014000A001
WSAGetLastError.WS2_32 ref: 000000014000A07E
EnterCriticalSection.KERNEL32 ref: 000000014000A092
LeaveCriticalSection.KERNEL32 ref: 000000014000A0D8

Strings

<C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!, xrefs: 000000014000A024

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast$send
String ID: <C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!
API String ID: 484515946-1981346945
Opcode ID: 5d57d71f2378e127ec58ca066b800eec07ab1c04eeec1237c94df71af28c7d82
Instruction ID: e19302107cfcd4d779bf577067bd819c2068326c636a879e7a686293c695ea1d
Opcode Fuzzy Hash: 5d57d71f2378e127ec58ca066b800eec07ab1c04eeec1237c94df71af28c7d82
Instruction Fuzzy Hash: D35158B2205B4086EA66DB22F5403EEB3A5F74DBE0F440216EB9A47BA5DF38D595C700

Function 000001FE8FAE1830 Relevance: 12.1, APIs: 8, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000001FE8FAE185B
free.LIBCMT ref: 000001FE8FAE1870

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

ResetEvent.KERNEL32 ref: 000001FE8FAE1891
ResetEvent.KERNEL32 ref: 000001FE8FAE189E
ResetEvent.KERNEL32 ref: 000001FE8FAE18AB
HeapDestroy.KERNEL32 ref: 000001FE8FAE1926
HeapCreate.KERNEL32 ref: 000001FE8FAE1940
SetEvent.KERNEL32 ref: 000001FE8FAE197D

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection_errnofree
String ID:
API String ID: 1991875446-0
Opcode ID: de5582a7b0bf2a448274a9d0fdd65a3dc77adcada3569edc15a99a045779d6d1
Instruction ID: fa369fae2dab27230243fc406dd7b77efbba9b72aa4849e436242899f75c9f8e
Opcode Fuzzy Hash: de5582a7b0bf2a448274a9d0fdd65a3dc77adcada3569edc15a99a045779d6d1
Instruction Fuzzy Hash: F2412936211BD1D6EA5CAF60D5603ECB3A4F784BA0F144266DBA9476A0CF74A476C740

Function 0000000140009D40 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140009D6B
free.LIBCMT ref: 0000000140009D80

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

ResetEvent.KERNEL32 ref: 0000000140009DA1
ResetEvent.KERNEL32 ref: 0000000140009DAE
ResetEvent.KERNEL32 ref: 0000000140009DBB
HeapDestroy.KERNELBASE ref: 0000000140009E36
HeapCreate.KERNELBASE ref: 0000000140009E50
SetEvent.KERNEL32 ref: 0000000140009E8D

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection_errnofree
String ID:
API String ID: 1991875446-0
Opcode ID: 6ef91d862449374a31e2c21f56ecfbe812c5402d2ca77ce0ef17b07c2c2b9022
Instruction ID: 1ffd33958d62e9c4de6f4506ee27df3a5b23c8e9bdd76c965bdead2542330309
Opcode Fuzzy Hash: 6ef91d862449374a31e2c21f56ecfbe812c5402d2ca77ce0ef17b07c2c2b9022
Instruction Fuzzy Hash: 55413976211B80E6E65ECB22EA503ECB364F788BD0F144226EBA9476B1CF74D475C740

Function 0000000140003DA0 Relevance: 10.6, APIs: 7, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 0000000140003DF0
SleepEx.KERNELBASE ref: 0000000140003E25
SleepEx.KERNELBASE ref: 0000000140003EAB
SleepEx.KERNELBASE ref: 0000000140003EB6
CreateEventA.KERNEL32 ref: 0000000140003F0D
Sleep.KERNEL32 ref: 0000000140003F51
CloseHandle.KERNEL32 ref: 0000000140003F90

Part of subcall function 000000014000C364: malloc.LIBCMT ref: 000000014000C37E

Part of subcall function 0000000140001E00: timeGetTime.WINMM ref: 0000000140001E8B
Part of subcall function 0000000140001E00: CreateEventW.KERNEL32 ref: 0000000140001E9F
Part of subcall function 0000000140001E00: CreateEventW.KERNEL32 ref: 0000000140001EB3

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Sleep$CreateEvent$CloseHandleTimemalloctime
String ID:
API String ID: 3316233393-0
Opcode ID: 482f008a18393b0adca5cb6b4fb91beae11170d46349654fa1bb411dd128e68f
Instruction ID: 8082ef83bc92b70553dfdb52a9dee960ae8875b1953704e18da45eb19ea91207
Opcode Fuzzy Hash: 482f008a18393b0adca5cb6b4fb91beae11170d46349654fa1bb411dd128e68f
Instruction Fuzzy Hash: B7514572205B4086EB26DB22E5587E973A9E78DBD4F40421AFB5A47BE5CF38C944CB40

Function 000001FE8FAD4C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001FE8FAD4CBB
GetProcAddress.KERNEL32 ref: 000001FE8FAD4CCB
GetNativeSystemInfo.KERNELBASE ref: 000001FE8FAD4CDB
GetSystemInfo.KERNEL32 ref: 000001FE8FAD4CDF

Strings

kernel32.dll, xrefs: 000001FE8FAD4C96
GetNativeSystemInfo, xrefs: 000001FE8FAD4CC1

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 4c543a427f66828ddaee1c6b6b9de7146d4486ede89bd39138456da059a21970
Instruction ID: 8bf49acd1307d2ba9f5b6e7f1904ed7732a87c9a18b761cea5135c8828ec0c58
Opcode Fuzzy Hash: 4c543a427f66828ddaee1c6b6b9de7146d4486ede89bd39138456da059a21970
Instruction Fuzzy Hash: E6014F35605FC282DAA1BB10B8503A673E0F788B90F940275DBCE87764EF3CC2668700

Function 00007FF665BAFEF0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665BB1260: GetFileAttributesW.KERNEL32 ref: 00007FF665BB133B
Part of subcall function 00007FF665BB1260: GetLastError.KERNEL32 ref: 00007FF665BB1378

SetErrorMode.KERNELBASE ref: 00007FF665BB013D
GetFileAttributesExW.KERNEL32 ref: 00007FF665BB018E
SetErrorMode.KERNEL32 ref: 00007FF665BB0289

Part of subcall function 00007FF665BB1950: CoCreateInstance.OLE32 ref: 00007FF665BB19C4
Part of subcall function 00007FF665BB1950: CoInitialize.OLE32 ref: 00007FF665BB19D6
Part of subcall function 00007FF665BB1950: CoCreateInstance.OLE32 ref: 00007FF665BB19FA

SetErrorMode.KERNELBASE ref: 00007FF665BB0279

Strings

.lnk, xrefs: 00007FF665BAFF6E

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Error$Mode$AttributesCreateFileInstance$InitializeLast
String ID: .lnk
API String ID: 3954637025-24824748
Opcode ID: b24c9fa08b6c10a9395fee26efdd86fb9591dd87fe76247a54ad9b3307d2d46f
Instruction ID: 409b9a290bd7454b945bc6841e4f194643b963740e37db3aacc2eaead3ec88af
Opcode Fuzzy Hash: b24c9fa08b6c10a9395fee26efdd86fb9591dd87fe76247a54ad9b3307d2d46f
Instruction Fuzzy Hash: 81F1C232609A45CAE724DF25D5A22BD73B0FB89B48F144135EA8ECB698DF7CD841CB00

Function 000001FE8FAE1710 Relevance: 9.1, APIs: 6, Instructions: 76threadnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE171D

Part of subcall function 000001FE8FAE1650: SwitchToThread.KERNEL32 ref: 000001FE8FAE169D

SetEvent.KERNEL32 ref: 000001FE8FAE1757
CloseHandle.KERNEL32 ref: 000001FE8FAE1785
WSACloseEvent.WS2_32 ref: 000001FE8FAE17D4
shutdown.WS2_32 ref: 000001FE8FAE17ED
closesocket.WS2_32 ref: 000001FE8FAE17F7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseEventThread$CurrentHandleSwitchclosesocketshutdown
String ID:
API String ID: 3526870478-0
Opcode ID: 932c4ec2da38c0ac6b1f6ceccf3195afbf5e37ca85e201a0a25c999c6e004dca
Instruction ID: aa69897c604cba4f4ffd3be8b145b177c30753f577c629232c220703556eac1a
Opcode Fuzzy Hash: 932c4ec2da38c0ac6b1f6ceccf3195afbf5e37ca85e201a0a25c999c6e004dca
Instruction Fuzzy Hash: BB310876200A9282EB90AF25D4602AC33B1E788FF8F150371DF2A477E9CF34C8968740

Function 0000000140009C20 Relevance: 9.1, APIs: 6, Instructions: 76threadnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000140009C2D

Part of subcall function 0000000140009B60: SwitchToThread.KERNEL32 ref: 0000000140009BAD

SetEvent.KERNEL32 ref: 0000000140009C67
CloseHandle.KERNELBASE ref: 0000000140009C95
WSACloseEvent.WS2_32 ref: 0000000140009CE4
shutdown.WS2_32 ref: 0000000140009CFD
closesocket.WS2_32 ref: 0000000140009D07

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CloseEventThread$CurrentHandleSwitchclosesocketshutdown
String ID:
API String ID: 3526870478-0
Opcode ID: 341751bcb2a9e39f1c64cda1b8c336d908026eaed392cb499eb77cff94f1bf09
Instruction ID: ee6b78ee20e75a199ac0f8d51655120480989cb093c4aabf2c1e140e6d99fe91
Opcode Fuzzy Hash: 341751bcb2a9e39f1c64cda1b8c336d908026eaed392cb499eb77cff94f1bf09
Instruction Fuzzy Hash: 51310BB6600A5082E762DF36E4507AD23A1E78CFE4F151221EF2A477E9CF34C885C740

Function 000001FE8FAE0D80 Relevance: 9.1, APIs: 6, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 000001FE8FAE0DBE
WSAGetLastError.WS2_32 ref: 000001FE8FAE0DC9

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 69ada47511ffae6a1b2352c791967df792aaf6681adecbb36eed45c614523dad
Instruction ID: 31b5910cf31b44e5ea78f643df273c7faa510b9a495c62ee2f3ffb54a410b743
Opcode Fuzzy Hash: 69ada47511ffae6a1b2352c791967df792aaf6681adecbb36eed45c614523dad
Instruction Fuzzy Hash: FF21A1F26006418BF768AF75D4997A937E0E708B68F244268CB19862E4DB79C8D7CB44

Function 0000000140009290 Relevance: 9.1, APIs: 6, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 00000001400092CE
WSAGetLastError.WS2_32 ref: 00000001400092D9

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: ca51bb135ca9b6b53a41005a3fb522d120fffd9efbfa981f642130a86738c22e
Instruction ID: 9b8ff33ad4f21ee875c00557280bc8415497f07eb4acfa47184f87d0d427e899
Opcode Fuzzy Hash: ca51bb135ca9b6b53a41005a3fb522d120fffd9efbfa981f642130a86738c22e
Instruction Fuzzy Hash: E9218EF26006008BF759CF76E4493A936E0E70CB99F650218DB19C76E0CBBAC9D6DB44

Function 000001FE8FAE3FEC Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAE4017
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE4022
_getptd.LIBCMT ref: 000001FE8FAE4048
CreateThread.KERNEL32 ref: 000001FE8FAE409D
GetLastError.KERNEL32 ref: 000001FE8FAE40A8
free.LIBCMT ref: 000001FE8FAE40B3

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: 1fc69dd64072fa7bf409c8ce7061121ab39990cf21b2db261d2c093eb0dfa2fa
Instruction ID: 4f0c9fb3d29530dab6a41f390adf5bf1449a04a31fe3ca505be75641b33c4fa9
Opcode Fuzzy Hash: 1fc69dd64072fa7bf409c8ce7061121ab39990cf21b2db261d2c093eb0dfa2fa
Instruction Fuzzy Hash: F921A135214BC185EA14BB66E4617EAB2D8F784BF0F444675AF68037E6DF38D0128700

Function 000000014000C4D8 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000C503
_invalid_parameter_noinfo.LIBCMT ref: 000000014000C50E
_getptd.LIBCMT ref: 000000014000C534
CreateThread.KERNELBASE ref: 000000014000C589
GetLastError.KERNEL32 ref: 000000014000C594
free.LIBCMT ref: 000000014000C59F

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: b11140e7446571eafd14e7012cf083d785f14c4c77ccc4c9425ccbac4b8ec313
Instruction ID: 37f882430a81e144da6995cd907b33d2ea7b296969054656d38c24131aaea18f
Opcode Fuzzy Hash: b11140e7446571eafd14e7012cf083d785f14c4c77ccc4c9425ccbac4b8ec313
Instruction Fuzzy Hash: A72195B1215B8086EA16DB67B9417DAB290F78CBD0F444625BF69037E6DF38D4508740

Function 00007FF665B74400 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF665B744C4
GetProcAddress.KERNEL32 ref: 00007FF665B74586

Strings

timeKillEvent, xrefs: 00007FF665B7457C
winmm, xrefs: 00007FF665B74464, 00007FF665B74533
timeSetEvent, xrefs: 00007FF665B744BA

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc
String ID: timeKillEvent$timeSetEvent$winmm
API String ID: 190572456-1618422980
Opcode ID: 122c8a63f252d51b526212ba5446e8d602476a32e04a82d9a1aae74211740df4
Instruction ID: d54f7ba87f0b693fc7b157f43fa96286fe7e58617834e0c4b4fd3c7aee3a0d03
Opcode Fuzzy Hash: 122c8a63f252d51b526212ba5446e8d602476a32e04a82d9a1aae74211740df4
Instruction Fuzzy Hash: BF517132A05652CAFB50CB65D8626BC27B0AB49F68F140235E95ECB6D5DF3CEC45C340

Function 000001FE8FAE2EA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000001FE8FAE2EE1

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

malloc.LIBCMT ref: 000001FE8FAE2F42
free.LIBCMT ref: 000001FE8FAE2F5D
SetWaitableTimer.KERNEL32 ref: 000001FE8FAE2FFC

Strings

bad allocation, xrefs: 000001FE8FAE2F77

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeapTimerWaitable_errnomalloc
String ID: bad allocation
API String ID: 996728788-2104205924
Opcode ID: 3164918fe516b5a880c1d5ebc565a3863ef63c33cab6ecf522e00527834a8d48
Instruction ID: 45a091ef39ce88ad0913170c82ed3b3baf2cfa82371694ffbb958c6b4615798d
Opcode Fuzzy Hash: 3164918fe516b5a880c1d5ebc565a3863ef63c33cab6ecf522e00527834a8d48
Instruction Fuzzy Hash: 64410436611FC589DB60AF24E9646E833E4F748B98F584175AF490BB68DF74C062C324

Function 000000014000B3B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000014000B3F1

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

malloc.LIBCMT ref: 000000014000B452
free.LIBCMT ref: 000000014000B46D
SetWaitableTimer.KERNELBASE ref: 000000014000B50C

Strings

bad allocation, xrefs: 000000014000B487

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeapTimerWaitable_errnomalloc
String ID: bad allocation
API String ID: 996728788-2104205924
Opcode ID: f8b2bde9cf209f261d56d6a1b00d68b5bb4cd4d590ef32a8494881bf267ae9a2
Instruction ID: 94c656a112711b9f92b20cc6127c6b9282d1092eb86de163954d4faba0118a15
Opcode Fuzzy Hash: f8b2bde9cf209f261d56d6a1b00d68b5bb4cd4d590ef32a8494881bf267ae9a2
Instruction Fuzzy Hash: 9A412472212B8489EB61DF66E9547D833A8F748BC8F984125EF4D0BB69DF78C551C304

Function 0000000140002B10 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000140002CA9
CloseHandle.KERNELBASE ref: 0000000140002CE7

Strings

n, xrefs: 0000000140002BC1
., xrefs: 0000000140002B9D
l, xrefs: 0000000140002BAF

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AllocCloseHandleVirtual
String ID: .$l$n
API String ID: 1420394295-2376909228
Opcode ID: ce9479c637d506cdde78aefb60dd895aff2b1a61f0d53a8078a23adf0ea733dc
Instruction ID: cecaae5f03fb596294a166a6b727b5315bd6c99abd8d4f327956ccdac3478328
Opcode Fuzzy Hash: ce9479c637d506cdde78aefb60dd895aff2b1a61f0d53a8078a23adf0ea733dc
Instruction Fuzzy Hash: 81519C76324A8086E721DF26E4447DAB761F78DB84F10902AFB4A87BA5DF3DC505CB01

Function 000001FE8FADDDC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000001FE8FADDE05
setsockopt.WS2_32 ref: 000001FE8FADDE28
setsockopt.WS2_32 ref: 000001FE8FADDE58
setsockopt.WS2_32 ref: 000001FE8FADDE7B
SetLastError.KERNEL32 ref: 000001FE8FADDE93

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt$ErrorLast
String ID:
API String ID: 1564866530-0
Opcode ID: 3616964d9e68d5e10b4d5a33af7c41ce66c25ecf9a3d6ccf82dd9a2d54687743
Instruction ID: 01b942bd8955c16eab64201daa872cd5b79745331722b5ca34fc8acc7215cf75
Opcode Fuzzy Hash: 3616964d9e68d5e10b4d5a33af7c41ce66c25ecf9a3d6ccf82dd9a2d54687743
Instruction Fuzzy Hash: A61175713045C687EB209F54F4447A9A7B1FB857A4F600735EB980BEE8CB7DC54A8B04

Function 00000001400062D0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000000140006315
setsockopt.WS2_32 ref: 0000000140006338
setsockopt.WS2_32 ref: 0000000140006368
setsockopt.WS2_32 ref: 000000014000638B
SetLastError.KERNEL32 ref: 00000001400063A3

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt$ErrorLast
String ID:
API String ID: 1564866530-0
Opcode ID: a4858c02dc920b4e29ad202f91ccd05f850526e49aa390ca8bb9a02fdcc47647
Instruction ID: 602cb659ebd87d0b786e6d9020230c23cdfcde8f81faa4eb3e089f71648bbc11
Opcode Fuzzy Hash: a4858c02dc920b4e29ad202f91ccd05f850526e49aa390ca8bb9a02fdcc47647
Instruction Fuzzy Hash: EC117271318981C3F720CF65F5043AAA761F7897A8FA40225FB9807EE8CB7EC5498B04

Function 00007FF665BE57F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF665BE5882

Part of subcall function 00007FF665BE5B90: GetProcAddress.KERNEL32 ref: 00007FF665BE5C8C
Part of subcall function 00007FF665BE5B90: _Init_thread_footer.LIBCMT ref: 00007FF665BE5D07

Strings

/, xrefs: 00007FF665BE59A0
/, xrefs: 00007FF665BE5900
/data, xrefs: 00007FF665BE5A5C

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressFolderInit_thread_footerPathProcSpecial
String ID: /$/$/data
API String ID: 4283787320-2895359887
Opcode ID: d1e49fa3896eafa6007d938f4fdc5880bf972e46184820727c7f6e229fefdf32
Instruction ID: bd71f87d7ec8dace0965468cd48ac27af14011707d751de75685e540277c8984
Opcode Fuzzy Hash: d1e49fa3896eafa6007d938f4fdc5880bf972e46184820727c7f6e229fefdf32
Instruction Fuzzy Hash: 77B17332609641C6EB60DB25D4A21BD73B0EB8ABA4F584231EA5EC76D5DF38DC45CB40

Function 000001FE8FAE2040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 000001FE8FAE2078
WSAGetLastError.WS2_32 ref: 000001FE8FAE2086
WSAResetEvent.WS2_32 ref: 000001FE8FAE20C3

Strings

, xrefs: 000001FE8FAE2192

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: a43ef72c0ef5dea547670d24ae46d00b54fdd337623529927378a7758b4313cd
Instruction ID: 2bc7ce8c15e19359d4cafa592661da48b8c462759ab110e9958aae3fa268a1de
Opcode Fuzzy Hash: a43ef72c0ef5dea547670d24ae46d00b54fdd337623529927378a7758b4313cd
Instruction Fuzzy Hash: E651D472500B8686F364EF25D4143AA77E1FB88BE8F150164DF49873E9CB79C942CB50

Function 000000014000A550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 000000014000A588
WSAGetLastError.WS2_32 ref: 000000014000A596
WSAResetEvent.WS2_32 ref: 000000014000A5D3

Strings

, xrefs: 000000014000A6A2

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: fa868995986a14abb85073b18f218ae2a53ef825df2d0f67fe1e49d6a425e339
Instruction ID: 5a56c2ca883d86df65ce7083488b71bfca8bd6176ccbe13178db47678fe34849
Opcode Fuzzy Hash: fa868995986a14abb85073b18f218ae2a53ef825df2d0f67fe1e49d6a425e339
Instruction Fuzzy Hash: BD513AB2204B448BE762CF26E40479A77F1F78DBD8F190215EB89472A9DB7EC9458B40

Function 000001FE8FAD1470 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000001FE8FAD14A6
CancelIo.KERNEL32 ref: 000001FE8FAD14B3
closesocket.WS2_32 ref: 000001FE8FAD14C3
SetEvent.KERNEL32 ref: 000001FE8FAD14CD

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 2a9ad9b7fa4f886587210fcf5cdafb31a936560bafd6b588060e346cf5de1bbb
Instruction ID: 64f05e41b89e0779b68a44c9df8347efe601dfe77c2381a53f0496b914ee1b5b
Opcode Fuzzy Hash: 2a9ad9b7fa4f886587210fcf5cdafb31a936560bafd6b588060e346cf5de1bbb
Instruction Fuzzy Hash: FAF03232204A8283DB049F25E5447A9A370F789BA4F644335DB6D4BBA4CF38D4AACB00

Function 0000000140001470 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00000001400014A6
CancelIo.KERNEL32 ref: 00000001400014B3
closesocket.WS2_32 ref: 00000001400014C3
SetEvent.KERNEL32 ref: 00000001400014CD

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 49c26dcf36976051189be324e92bcf16e191800432304aafcf15dff69e109372
Instruction ID: 2d1809b97a9702a462fefa8dca50ef9d6389b22542af97769ffcb03c0baeda86
Opcode Fuzzy Hash: 49c26dcf36976051189be324e92bcf16e191800432304aafcf15dff69e109372
Instruction Fuzzy Hash: 28F0F936204A8097E751CF26E5443A9B370F789BB4F504325EB6D47BA5CF39C5AACB00

Function 00007FF665B79080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 335libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665B664F0: GetModuleFileNameW.KERNEL32 ref: 00007FF665B66523

LoadLibraryExW.KERNELBASE ref: 00007FF665B793AE

Strings

.dll, xrefs: 00007FF665B79302
PATH, xrefs: 00007FF665B7919F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID: .dll$PATH
API String ID: 1159719554-3816765965
Opcode ID: c5343b12e3117846d8bc79dda1a13aca70fa381a8a0851b60b5b434cecc1e18b
Instruction ID: b1ff1aa1e3164f9565dff597ef616d956adc1dc417a13899c2d1fcef16090c64
Opcode Fuzzy Hash: c5343b12e3117846d8bc79dda1a13aca70fa381a8a0851b60b5b434cecc1e18b
Instruction Fuzzy Hash: 29E16D32B05511DAEB20DA79C4622BC73B0EB4AF68F544631DA2DDB6D9DF28EC16C740

Function 00007FF665B4A440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF665B4A496

Part of subcall function 00007FF665B49920: GetProcAddress.KERNEL32 ref: 00007FF665B499E8
Part of subcall function 00007FF665B49920: GetFileVersionInfoSizeExW.KERNELBASE ref: 00007FF665B49AC1

Part of subcall function 00007FF665B497B0: VerSetConditionMask.KERNEL32 ref: 00007FF665B497E4
Part of subcall function 00007FF665B497B0: VerSetConditionMask.KERNEL32 ref: 00007FF665B497F3
Part of subcall function 00007FF665B497B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF665B49842
Part of subcall function 00007FF665B497B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF665B4986A
Part of subcall function 00007FF665B497B0: VerSetConditionMask.KERNEL32 ref: 00007FF665B49889
Part of subcall function 00007FF665B497B0: VerSetConditionMask.KERNEL32 ref: 00007FF665B4989A
Part of subcall function 00007FF665B497B0: VerSetConditionMask.KERNEL32 ref: 00007FF665B498AB
Part of subcall function 00007FF665B497B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF665B498C1
Part of subcall function 00007FF665B497B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF665B498EA

Strings

Qt: Untested Windows version %d.%d detected!, xrefs: 00007FF665B4A593
default, xrefs: 00007FF665B4A578

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Version$ConditionInfoMask$Verify$AddressFileProcSize
String ID: Qt: Untested Windows version %d.%d detected!$default
API String ID: 3189366613-4050888621
Opcode ID: 56fe74357d412eeec9feb3abae344f86caa2346e8b58c8be68436d8c79f3f852
Instruction ID: e5bea087012db4c7a5d1c72e0b56a810463d264ce1d32362dbda725688fbb3dc
Opcode Fuzzy Hash: 56fe74357d412eeec9feb3abae344f86caa2346e8b58c8be68436d8c79f3f852
Instruction Fuzzy Hash: 69413271E0C282C2FA748615E6A237D72B2EF5FB50F604135D64ECA698EE2DEC459F01

Function 0000000140001870 Relevance: 5.1, APIs: 4, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000001400018EE
VirtualFree.KERNEL32 ref: 0000000140001928
VirtualAlloc.KERNEL32 ref: 0000000140001995
VirtualFree.KERNEL32 ref: 00000001400019CF

Part of subcall function 0000000140001A80: send.WS2_32 ref: 0000000140001AE3
Part of subcall function 0000000140001A80: send.WS2_32 ref: 0000000140001B30

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFreesend
String ID:
API String ID: 2354595252-0
Opcode ID: d32468d94f511778c6efb9e4a37247997571d09d1ecdf759417b344c15647baf
Instruction ID: c386b83460c13cd3b43a28069926cd7ebcb420af6f38d37e418ea9263e80ce11
Opcode Fuzzy Hash: d32468d94f511778c6efb9e4a37247997571d09d1ecdf759417b344c15647baf
Instruction Fuzzy Hash: BE513C72210B4087E766DF2BF45079AB7A5F788BC4F148129EB8A97B64DF78D445CB00

Function 000001FE8FAE1EF0 Relevance: 4.6, APIs: 3, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE0690: StrChrW.SHLWAPI ref: 000001FE8FAE06AD

WSASetLastError.WS2_32 ref: 000001FE8FAE1F89
socket.WS2_32 ref: 000001FE8FAE1F9F
WSACreateEvent.WS2_32 ref: 000001FE8FAE1FF4

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorEventLastsocket
String ID:
API String ID: 2854923884-0
Opcode ID: 1f2bb71204ac77dbbf842b20c3a86081802b1dd4a822a36c56d4e184d26bc510
Instruction ID: a93af316eb7f70187091c80541da5927bc72a654fe905cf837b1ee95f8529c39
Opcode Fuzzy Hash: 1f2bb71204ac77dbbf842b20c3a86081802b1dd4a822a36c56d4e184d26bc510
Instruction Fuzzy Hash: D0319231204BD286FA64BB62A4503F963D5F784BF0F1442B6AB9607AF9DF38C452C750

Function 000000014000A400 Relevance: 4.6, APIs: 3, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008BA0: StrChrW.SHLWAPI ref: 0000000140008BBD

WSASetLastError.WS2_32 ref: 000000014000A499
socket.WS2_32 ref: 000000014000A4AF
WSACreateEvent.WS2_32 ref: 000000014000A504

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorEventLastsocket
String ID:
API String ID: 2854923884-0
Opcode ID: e0cbaf7c63bf1ec2e30ce2e462ca0de58b14044d59c9cdb963edb7254d9caeaa
Instruction ID: 6f895d5ae6b0c7e0c03d244604886a8c65f5e7e6555a5c7cfe512488f2747cee
Opcode Fuzzy Hash: e0cbaf7c63bf1ec2e30ce2e462ca0de58b14044d59c9cdb963edb7254d9caeaa
Instruction Fuzzy Hash: 883183B5604B5086E666DB23B8043EA62E1F7CEBE4F040215BB9A47AF6DFBCC551C701

Function 000001FE8FADE1B0 Relevance: 4.5, APIs: 3, Instructions: 41networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 000001FE8FADE1D8
WSAStringToAddressW.WS2_32 ref: 000001FE8FADE211
htons.WS2_32 ref: 000001FE8FADE223

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AddressErrorLastStringhtons
String ID:
API String ID: 1418563660-0
Opcode ID: d9d705e35dec7f7c8533af68aa056b56a6f5a7199e4bd55976b9687a2b746dc9
Instruction ID: 99cd9b9ee042d794480b09effe4b01b24bc1fb89a5a17a59764ba35a8894383b
Opcode Fuzzy Hash: d9d705e35dec7f7c8533af68aa056b56a6f5a7199e4bd55976b9687a2b746dc9
Instruction Fuzzy Hash: DB01F2363046E282E715BB25F480BB963E0FB54BE4F544271BF8947BA4EA3CC8829704

Function 00000001400066C0 Relevance: 4.5, APIs: 3, Instructions: 41networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00000001400066E8
WSAStringToAddressW.WS2_32 ref: 0000000140006721
htons.WS2_32 ref: 0000000140006733

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AddressErrorLastStringhtons
String ID:
API String ID: 1418563660-0
Opcode ID: a3fb8ebb527ba10d12834dcc094aead56c5fcf668bc44d138c8b989b3c6a5e40
Instruction ID: b0cac0e71a32bd63811cbb38c6314f16192b3d890269d803ef2ef19208760f43
Opcode Fuzzy Hash: a3fb8ebb527ba10d12834dcc094aead56c5fcf668bc44d138c8b989b3c6a5e40
Instruction Fuzzy Hash: 4D01A2B62186A082E7158B26F4153B9A3A1FB48BC8F844025FFDD477A4DA39C9919700

Function 000001FE8FADBCE0 Relevance: 4.5, APIs: 3, Instructions: 29threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000001FE8FADBD10
CreateThread.KERNEL32 ref: 000001FE8FADBD34
WaitForSingleObject.KERNEL32 ref: 000001FE8FADBD44

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateThread$ObjectSingleWait
String ID:
API String ID: 1771687473-0
Opcode ID: 81b2f335489e0c723144b70b464700628b019d4b610a67576bf3cf9a64e068e0
Instruction ID: a0745af60a820d9a1258fe17796c9cb0bb776b425812922b616ebc7b8f4cdf7f
Opcode Fuzzy Hash: 81b2f335489e0c723144b70b464700628b019d4b610a67576bf3cf9a64e068e0
Instruction Fuzzy Hash: EE013171A04AC682E738AF61B8417E637E1F3883A8F544379D79986A74CF3CC1568604

Function 0000000140011AA0 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000000140011AB6
GetVersion.KERNEL32 ref: 0000000140011AC8
HeapSetInformation.KERNEL32 ref: 0000000140011AE6

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: dab1620e64bba2d977448fbcf9058565a5723aec7899ea49ad2290dc2e13d490
Instruction ID: 11b2e8d63657c493eb38dd465c5d544629449580d8c01811b72ebb2c961a9503
Opcode Fuzzy Hash: dab1620e64bba2d977448fbcf9058565a5723aec7899ea49ad2290dc2e13d490
Instruction Fuzzy Hash: 33E01A79612A8082FB8AAB56E8497EA2261FB8C785F805019FB4E077A5DF3DC4468704

Function 000001FE8FA900DC Relevance: 3.4, APIs: 2, Instructions: 391memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000001FE8FA90157
LoadLibraryA.KERNELBASE ref: 000001FE8FA902BD

Memory Dump Source

Source File: 00000000.00000002.1940080645.000001FE8FA90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FA90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fa90000_quHmbPnLFV.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction ID: 2bfe3f3fb83df2c0cd2d534183b0dd59125da905726bc7e53e6a9ed2936d898d
Opcode Fuzzy Hash: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction Fuzzy Hash: D8C1D630314E4B8BDB68AE68C8C47B5B3E0FB543A1F15817DD99AC7291DA74E892C7C1

Function 00007FF665BB1450 Relevance: 3.1, APIs: 2, Instructions: 123COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF665BB152E
GetFullPathNameW.KERNEL32 ref: 00007FF665BB1583

Part of subcall function 00007FF665B49CB0: _CxxThrowException.LIBVCRUNTIME ref: 00007FF665B49CDF

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: FullNamePath$ExceptionThrow
String ID:
API String ID: 606229857-0
Opcode ID: cef41dd83b95d9f355ff0fae64ef258b4847377f3d45da9317d33ccdc43f3009
Instruction ID: bff2fc85b9690ef908c3db03db7cb8354a0f27189130f6399897e4a1ad53ed2a
Opcode Fuzzy Hash: cef41dd83b95d9f355ff0fae64ef258b4847377f3d45da9317d33ccdc43f3009
Instruction Fuzzy Hash: D451B332608A81C6DB20DF55E4912AEB3B0FB89F94F444135EA8D8B798DFBCD945CB40

Function 00007FF665B44190 Relevance: 3.1, APIs: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF665B44AA0), ref: 00007FF665B441F7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF665B44AA0), ref: 00007FF665B4425E

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 8f8e47707ebd93ed1f71c6a183001e7ecbe9b94e491bc39c99885a78eb5476a0
Instruction ID: 45340099e2154cce9334292ac0b17a40097591dd5c21c3bc75ac04a5bf35665a
Opcode Fuzzy Hash: 8f8e47707ebd93ed1f71c6a183001e7ecbe9b94e491bc39c99885a78eb5476a0
Instruction Fuzzy Hash: D821B0B6B14A45C2EE20CF06D462A682771FBA9F84F945032CA4E8B754DF3CD992C740

Function 0000000140001A80 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000140001AE3
send.WS2_32 ref: 0000000140001B30

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4d82d8ce8297748054077ff5a83405a44117ba6789b74d22cb788790d759d827
Instruction ID: a9a0367f8085be0a3a8f34c5c9eb81f2418d8be8a90d8d859ca2e5cd89ffc5f9
Opcode Fuzzy Hash: 4d82d8ce8297748054077ff5a83405a44117ba6789b74d22cb788790d759d827
Instruction Fuzzy Hash: B921E1B2704A9041E3618F27B8407EAB694F7CDBD4F045121FF5983BA2FBB8C4828300

Function 0000000140001750 Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000C364: malloc.LIBCMT ref: 000000014000C37E

select.WS2_32 ref: 00000001400017E5
recv.WS2_32 ref: 0000000140001807

Part of subcall function 0000000140001BD0: VirtualAlloc.KERNEL32(?,?,?,?,?,000000014000181F), ref: 0000000140001D5E

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AllocVirtualmallocrecvselect
String ID:
API String ID: 1241053632-0
Opcode ID: 505b6903d59803aef40d8381a865ccc397fe224001b798411c91ea7f351c35a7
Instruction ID: e79e53effcdf3112c95f2337ea6b6acd2f53d3d590a13a7037282b1afe0fdc01
Opcode Fuzzy Hash: 505b6903d59803aef40d8381a865ccc397fe224001b798411c91ea7f351c35a7
Instruction Fuzzy Hash: 1D219CB2714A8081EB71DF26F5543EA63A0E789FC8F408125EB5D87BA9EF38C1458B00

Function 000001FE8FADC9F0 Relevance: 3.0, APIs: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000001FE8FADCA2F
free.LIBCMT ref: 000001FE8FADCA6D

Part of subcall function 000001FE8FAD72B0: GdipDisposeImage.GDIPLUS ref: 000001FE8FAD72ED
Part of subcall function 000001FE8FAD72B0: GdipFree.GDIPLUS ref: 000001FE8FAD72FB

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$CreateDisposeFreeHeapImagefree
String ID:
API String ID: 1469048323-0
Opcode ID: 1e852e01241bb4f9f199057eb3e4331d9c0c2a302e0f1085875ebc1fe2c2c545
Instruction ID: 6c95ca2979a7d77f45896ddeb8280675a22751790812eefb024ca809a9b66f68
Opcode Fuzzy Hash: 1e852e01241bb4f9f199057eb3e4331d9c0c2a302e0f1085875ebc1fe2c2c545
Instruction Fuzzy Hash: D6118CB3114B80CAE754DF25E48065D77F8F788B98F685529DF8917B28CB34C8A1CB44

Function 0000000140004F00 Relevance: 3.0, APIs: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000000140004F3F
free.LIBCMT ref: 0000000140004F7D

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: 28c10530bac5da55857837622ebc9bb0a9222c4d30909a16d0c3f2103b32b967
Instruction ID: e9c3ad32272f9072ca89ff6d639c6e7b0cee97d95a3e8c3e1d0d463da563d760
Opcode Fuzzy Hash: 28c10530bac5da55857837622ebc9bb0a9222c4d30909a16d0c3f2103b32b967
Instruction Fuzzy Hash: C8116AB3114B808AD751CF26E48075D77B8F788B88F685029EF9917B29CB34C8A1CB48

Function 000001FE8FADDEB0 Relevance: 3.0, APIs: 2, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 000001FE8FADDEE6
WSAGetLastError.WS2_32 ref: 000001FE8FADDEF1

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorIoctlLast
String ID:
API String ID: 4052769934-0
Opcode ID: ce17200a24629c4b9b126d947a8803227bd7e5b596f43e01a5a8fcac86845cd1
Instruction ID: 19d5fff39cf38192e27c3e3f744f9c5f878935686b34c264234245eb5a5386ff
Opcode Fuzzy Hash: ce17200a24629c4b9b126d947a8803227bd7e5b596f43e01a5a8fcac86845cd1
Instruction Fuzzy Hash: 37F08272604B80C3D7109F20B48059AB7B5F784330FA40339EB9D42AA8CB3CC99ADE50

Function 00000001400063C0 Relevance: 3.0, APIs: 2, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00000001400063F6
WSAGetLastError.WS2_32 ref: 0000000140006401

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorIoctlLast
String ID:
API String ID: 4052769934-0
Opcode ID: 312aed48b350a6209cc86974967232855cb715dd87e6e1548b6b0fe6eba230ae
Instruction ID: f01f3c849799de985b5d5e858bfb08d7df10fa5871a8be8eb346f901d8f668c6
Opcode Fuzzy Hash: 312aed48b350a6209cc86974967232855cb715dd87e6e1548b6b0fe6eba230ae
Instruction Fuzzy Hash: F7F08272504740C3D7118F20B48029AB7A5F7C8760F940339FBAD46AA4CB3CC699DE00

Function 0000000140001070 Relevance: 2.6, APIs: 2, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000001400010E8
VirtualFree.KERNELBASE ref: 0000000140001123

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 0b4d83cdc7f3374882a2405b78c883344f199d32df5bac03a6686caa87e666e1
Instruction ID: 70cb798ce691b1d1b3747c3c80cce9e382c7a2f5387daa1aeb325cd09070d138
Opcode Fuzzy Hash: 0b4d83cdc7f3374882a2405b78c883344f199d32df5bac03a6686caa87e666e1
Instruction Fuzzy Hash: B241E4B2700A8486D71ACF2AE9407D9A7A1F788BC8F048529FF4A47B69DE34C891C740

Function 00000001400011E0 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000140001251
VirtualFree.KERNELBASE ref: 0000000140001285

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 35ec61db66e325779c8396a2d5ca1d82070d184fb1970e64289eed608e10a2fb
Instruction ID: f16518db71c21787d7e0962e8ac704ec91cd38b893080e9dde5852ea236419e3
Opcode Fuzzy Hash: 35ec61db66e325779c8396a2d5ca1d82070d184fb1970e64289eed608e10a2fb
Instruction Fuzzy Hash: E2217F72714A4086D746CB2AF54039963A1F78CBC4F548525FB5997B58DF34D8E28B40

Function 00007FF665C327A0 Relevance: 2.6, APIs: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF665C28CFD,?,?,?,?,00007FF665B784A7), ref: 00007FF665C327AF
SetLastError.KERNEL32(?,?,?,00007FF665C28CFD,?,?,?,?,00007FF665B784A7), ref: 00007FF665C3284D

Part of subcall function 00007FF665C3152C: try_get_function.LIBVCRUNTIME ref: 00007FF665C3154E

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$try_get_function
String ID:
API String ID: 762735579-0
Opcode ID: 4ce17350b16d627d44a51ebfd242cee0539828d90e1a6124d64c26c9feeafd87
Instruction ID: 5f6aee2290f5cb4df6ddea6a4602359a6f3c6fcdfb3dce3eff670ea2d2cccfc0
Opcode Fuzzy Hash: 4ce17350b16d627d44a51ebfd242cee0539828d90e1a6124d64c26c9feeafd87
Instruction Fuzzy Hash: 30216D23E0C64AC6FE54A736E9A307921B25F45FB0F04473CD97E8E6D6DE2CAC418240

Function 000001FE8FAE6AE8 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001FE8FAE6B0F

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointer
String ID:
API String ID: 3527080286-0
Opcode ID: 9da76b86c43469502cb9962a14670a8e5049ec898b9d5911d73b5e2543db7b42
Instruction ID: e03762022864b4d305895945a872637202d1629847e8d2168bd14b89519e8678
Opcode Fuzzy Hash: 9da76b86c43469502cb9962a14670a8e5049ec898b9d5911d73b5e2543db7b42
Instruction Fuzzy Hash: 13018F36B14BC082E720AB62B44175AB7A4F799BD0F588525EF8C07F29CF3CD1128B00

Function 00007FF665B70E40 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF665B70E7A

Part of subcall function 00007FF665B74400: GetProcAddress.KERNEL32 ref: 00007FF665B74586

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressCurrentProcThread
String ID:
API String ID: 3962317920-0
Opcode ID: acc812e3850b7be8dd11515c35d5aee543ce9ef8fc169abd74eb55cbd8338b55
Instruction ID: 4cfcb1589d8f82aa532ec76f1504c0bcf637fabc9be6a514054dfc036de026fb
Opcode Fuzzy Hash: acc812e3850b7be8dd11515c35d5aee543ce9ef8fc169abd74eb55cbd8338b55
Instruction Fuzzy Hash: 27119332505F81C9D7908F24F94539973F8F709B58F584239DAAC8B7A9EF389465C710

Function 00007FF665B70DD0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF665B70E14

Part of subcall function 00007FF665B70E40: GetCurrentThreadId.KERNEL32 ref: 00007FF665B70E7A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentThreadstd::bad_exception::bad_exception
String ID:
API String ID: 299378639-0
Opcode ID: 058f0110385e271502d91cabf9693d420978a267fc73d507fc430bd55fc21fba
Instruction ID: 859ee91894a18d8db9a97bad27d72a1a1eca800698f55011f0f8342354e2cc11
Opcode Fuzzy Hash: 058f0110385e271502d91cabf9693d420978a267fc73d507fc430bd55fc21fba
Instruction Fuzzy Hash: 78F03721A09B4281DA509B15F815169A2B4AF8AFE0F544339EFBD8B7E5DE3CE4508700

Function 000000014001DFF0 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000014001E020

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 90d8150e3757ef238170da936ae11fff972097fbe498c69ec85e5f8ebc6fd6bb
Instruction ID: 2911937ff579bdcfe6b4ac6631c023d3c56698f6ad4b92838af04f44b9dc91a7
Opcode Fuzzy Hash: 90d8150e3757ef238170da936ae11fff972097fbe498c69ec85e5f8ebc6fd6bb
Instruction Fuzzy Hash: 84F05276220A84DAEB12EF25E8193D873A4F74C784F808016FB8D8B768DF38C2118B00

Function 000000014000C408 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E71C: GetLastError.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E726
Part of subcall function 000000014000E71C: FlsGetValue.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E734
Part of subcall function 000000014000E71C: FlsSetValue.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E760
Part of subcall function 000000014000E71C: GetCurrentThreadId.KERNEL32 ref: 000000014000E774
Part of subcall function 000000014000E71C: SetLastError.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E78C

ExitThread.KERNEL32 ref: 000000014000C424

Part of subcall function 000000014000E8F8: FlsGetValue.KERNEL32(?,?,?,000000014000C422,?,?,?,?,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000E911
Part of subcall function 000000014000E8F8: FlsSetValue.KERNEL32(?,?,?,000000014000C422,?,?,?,?,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000E922
Part of subcall function 000000014000E8F8: _freefls.LIBCMT ref: 000000014000E92B

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls
String ID:
API String ID: 1216290073-0
Opcode ID: 50720535ccd6fb1326abae26ff6c97f43710cf1c4642367276e24177af361050
Instruction ID: b3ac20aaedd1452b9766895f4c06c775f723c0e6f08f999d19768f29f34785b6
Opcode Fuzzy Hash: 50720535ccd6fb1326abae26ff6c97f43710cf1c4642367276e24177af361050
Instruction Fuzzy Hash: 73C002B471238441FE2EB7B6345A7A811506B5D780E441438BA5A1B3A3DD7984094300

Function 000001FE8FADDD60 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000001FE8FADDD80

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 4c71799af792aa104f0d233dd33903cd3c71c1c3b67126271428965dbd002654
Instruction ID: 8d48b97c306739909ce633bb44dea509040781915155f3a24660b39a62461b37
Opcode Fuzzy Hash: 4c71799af792aa104f0d233dd33903cd3c71c1c3b67126271428965dbd002654
Instruction Fuzzy Hash: A1C012B16141C187D720AF14D4056556B70FB85344FA00625E78806AA4C77DC21ACF04

Function 000001FE8FADDD90 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000001FE8FADDDB0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 5430b48c897f6ed4bf1239ba44f7872b55cb598c5994d6d473fb0253ef00896f
Instruction ID: 405e9175dfeb334f3541202b252c5c92f45ab0b174248597fee9a5a42d972c4c
Opcode Fuzzy Hash: 5430b48c897f6ed4bf1239ba44f7872b55cb598c5994d6d473fb0253ef00896f
Instruction Fuzzy Hash: FBC012716141C187D720AF14D4046556B70FB85344FA00625EB8806AA4C77DC25ACF04

Function 0000000140006270 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000000140006290

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e95747ce8f3f3750f5459e05a253b64576bad900133d075150429dbf0668e463
Instruction ID: cf5048b8f6b0cb3c2e2677f4137b1ab2fc995b420aa23efcee12e8e639857660
Opcode Fuzzy Hash: e95747ce8f3f3750f5459e05a253b64576bad900133d075150429dbf0668e463
Instruction Fuzzy Hash: 5AC012716141C187E720DF14D4053966B20F789344F900525F78806AA4C77DC25ACF04

Function 00000001400062A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00000001400062C0

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: aad93ee022f5210646a99c84337d3774725d5d85ae8e5a47ae194036c45a8d95
Instruction ID: f9c991f187c9692375a014dc1883362d59b838f17bd84156b4685b9339654db1
Opcode Fuzzy Hash: aad93ee022f5210646a99c84337d3774725d5d85ae8e5a47ae194036c45a8d95
Instruction Fuzzy Hash: D0C012716141C187E720DF14D4043966B20F789348F900525FB8806AA4C77EC25ACF04

Function 000001FE8FAE3F40 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAE3F44

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID:
API String ID: 4217099735-0
Opcode ID: 213a6e2b15a75dbbc5b6985e12d8423eb37278cc3a763c8166efefaf3e9b0e9f
Instruction ID: e1d54d7ada819d3920cb34be146c4277efd13b2d0bb692ff175e69950cf6b4bc
Opcode Fuzzy Hash: 213a6e2b15a75dbbc5b6985e12d8423eb37278cc3a763c8166efefaf3e9b0e9f
Instruction Fuzzy Hash: 97C09225A11AC581DA04777184667FC2AE1ABC5BA1F0584B0DB2E433A3DE2484464320

Function 00007FF665C31054 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF665C327FD,?,?,?,00007FF665C28CFD,?,?,?,?,00007FF665B784A7), ref: 00007FF665C310A9

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7865fc895f06e5d261083154053c5d09f8bae565a87a491178ac8ce2072efa4a
Instruction ID: 4243fbcb7d2471ead942f50545499b3b8e173031c726b1577ef17014c33fb626
Opcode Fuzzy Hash: 7865fc895f06e5d261083154053c5d09f8bae565a87a491178ac8ce2072efa4a
Instruction Fuzzy Hash: 2BF06D56B0968BC9FE54A669D9533B842B05F88F80F0C5178C90ECE3D1EE2CED81C221

Function 00007FF665C31C00 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF665C339B5,?,?,00000000,00007FF665C3803F,?,?,?,00007FF665C30B83,?,?,?,00007FF665C30A79), ref: 00007FF665C31C3E

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 460da5771890f454806aba5e565a12d6929184467c6de6092689245f29d5b967
Instruction ID: 21327a92336880723dfc6fb5a559cc3e604b70ae66038176e9d001b781aa04b0
Opcode Fuzzy Hash: 460da5771890f454806aba5e565a12d6929184467c6de6092689245f29d5b967
Instruction Fuzzy Hash: D0F08213B0D64AC9FE59566AE84337412B05F94FA0F080638DC2FCE2E1DE2CAC814124

Non-executed Functions

Function 000001FE8FAD5280 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 202libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 000001FE8FAD530B
CreateProcessA.KERNEL32 ref: 000001FE8FAD536E
OpenProcess.KERNEL32 ref: 000001FE8FAD5393
LoadLibraryA.KERNEL32 ref: 000001FE8FAD53C1
GetProcAddress.KERNEL32 ref: 000001FE8FAD53D1
LoadLibraryA.KERNEL32 ref: 000001FE8FAD53E2
GetProcAddress.KERNEL32 ref: 000001FE8FAD53F2
LoadLibraryA.KERNEL32 ref: 000001FE8FAD5403
GetProcAddress.KERNEL32 ref: 000001FE8FAD5413
LoadLibraryA.KERNEL32 ref: 000001FE8FAD5424
GetProcAddress.KERNEL32 ref: 000001FE8FAD5434
GetCurrentProcess.KERNEL32 ref: 000001FE8FAD543E
GetProcessId.KERNEL32 ref: 000001FE8FAD5447
GetModuleFileNameA.KERNEL32 ref: 000001FE8FAD547B
VirtualAllocEx.KERNEL32 ref: 000001FE8FAD54B1
WriteProcessMemory.KERNEL32 ref: 000001FE8FAD54D4

Strings

OpenProcess, xrefs: 000001FE8FAD53C7
WaitForSingleObject, xrefs: 000001FE8FAD542A
WinExec, xrefs: 000001FE8FAD5409
ExitProcess, xrefs: 000001FE8FAD53E8
Kernel32.dll, xrefs: 000001FE8FAD53BA, 000001FE8FAD53D7, 000001FE8FAD53F8, 000001FE8FAD5419
h, xrefs: 000001FE8FAD52EB
%s%s, xrefs: 000001FE8FAD531F
Windows\System32\svchost.exe, xrefs: 000001FE8FAD5311
@, xrefs: 000001FE8FAD5525

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Process$AddressLibraryLoadProc$AllocCreateCurrentDirectoryFileMemoryModuleNameOpenSystemVirtualWrite
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 675209239-4110464286
Opcode ID: cb6061bd00fcf5d5817a298436270a70da75f0555b869f46bbdfee4cd9ce1f11
Instruction ID: 726405caa4de6d2aa80646377a94f56ed9a4641eea4e893f775fca2e1c7dc400
Opcode Fuzzy Hash: cb6061bd00fcf5d5817a298436270a70da75f0555b869f46bbdfee4cd9ce1f11
Instruction Fuzzy Hash: EDA15031710B8285EB21EF22E8147E963E5FB49BE8F804265DB494BB68DF3DC246C704

Function 000001FE8FADC1B0 Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 184filesynchronizationstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 000001FE8FADC215
GetTickCount.KERNEL32 ref: 000001FE8FADC21B
GetTickCount.KERNEL32 ref: 000001FE8FADC232
OpenClipboard.USER32 ref: 000001FE8FADC240
GetClipboardData.USER32 ref: 000001FE8FADC24B
GlobalSize.KERNEL32 ref: 000001FE8FADC260
GlobalLock.KERNEL32 ref: 000001FE8FADC26D
wsprintfW.USER32 ref: 000001FE8FADC2DD
GlobalUnlock.KERNEL32 ref: 000001FE8FADC308
CloseClipboard.USER32 ref: 000001FE8FADC30E
WaitForSingleObject.KERNEL32 ref: 000001FE8FADC32B
CreateFileW.KERNEL32 ref: 000001FE8FADC359
SetFilePointer.KERNEL32 ref: 000001FE8FADC375
lstrlenW.KERNEL32 ref: 000001FE8FADC382
WriteFile.KERNEL32 ref: 000001FE8FADC3A0
CloseHandle.KERNEL32 ref: 000001FE8FADC3A9
ReleaseMutex.KERNEL32 ref: 000001FE8FADC3B6
lstrlenW.KERNEL32 ref: 000001FE8FADC405
wsprintfW.USER32 ref: 000001FE8FADC459
WaitForSingleObject.KERNEL32 ref: 000001FE8FADC469
CreateFileW.KERNEL32 ref: 000001FE8FADC497
SetFilePointer.KERNEL32 ref: 000001FE8FADC4B3
lstrlenW.KERNEL32 ref: 000001FE8FADC4BE
WriteFile.KERNEL32 ref: 000001FE8FADC4DA
CloseHandle.KERNEL32 ref: 000001FE8FADC4E3
ReleaseMutex.KERNEL32 ref: 000001FE8FADC4F0

Strings

[, xrefs: 000001FE8FADC2CB
f, xrefs: 000001FE8FADC428
[esc], xrefs: 000001FE8FADC421

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: File$ClipboardCloseGloballstrlen$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWritewsprintf$DataLockOpenSizeSleepUnlock
String ID: [$[esc]$f
API String ID: 4024049034-3848119899
Opcode ID: 97fd7cb3ef38961945420586d2202e0037aa361a794408fddb7f4b1b4befad8b
Instruction ID: 27f0029682fe937c6432bff7d76c217814d21acda88ec42d3b74c0796b3c8252
Opcode Fuzzy Hash: 97fd7cb3ef38961945420586d2202e0037aa361a794408fddb7f4b1b4befad8b
Instruction Fuzzy Hash: A5913B71210AC696EA20FF25E854BFA77E0F784BE4F944275DB4A86674DF38C54ACB00

Function 000001FE8FAD8FC0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 304windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000001FE8FAD9006
GetDC.USER32 ref: 000001FE8FAD900F
CreateCompatibleDC.GDI32 ref: 000001FE8FAD901B
GetDC.USER32 ref: 000001FE8FAD9027
GetDeviceCaps.GDI32 ref: 000001FE8FAD9038
GetDeviceCaps.GDI32 ref: 000001FE8FAD9048
ReleaseDC.USER32 ref: 000001FE8FAD9065
GetSystemMetrics.USER32 ref: 000001FE8FAD9083
GetSystemMetrics.USER32 ref: 000001FE8FAD90B9
GetSystemMetrics.USER32 ref: 000001FE8FAD910C
GetSystemMetrics.USER32 ref: 000001FE8FAD9126
CreateCompatibleBitmap.GDI32 ref: 000001FE8FAD9144
SelectObject.GDI32 ref: 000001FE8FAD9158
SetStretchBltMode.GDI32 ref: 000001FE8FAD9166
GetSystemMetrics.USER32 ref: 000001FE8FAD9171
GetSystemMetrics.USER32 ref: 000001FE8FAD918B
StretchBlt.GDI32 ref: 000001FE8FAD91D1
GetDIBits.GDI32 ref: 000001FE8FAD9277

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

DeleteObject.GDI32 ref: 000001FE8FAD932B
DeleteObject.GDI32 ref: 000001FE8FAD9335
ReleaseDC.USER32 ref: 000001FE8FAD9340
DeleteObject.GDI32 ref: 000001FE8FAD93CE
DeleteObject.GDI32 ref: 000001FE8FAD93D8
ReleaseDC.USER32 ref: 000001FE8FAD93E3

Strings

gfff, xrefs: 000001FE8FAD909D
gfff, xrefs: 000001FE8FAD90CE
, xrefs: 000001FE8FAD91A0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch$BitmapBitsDesktopModeSelectWindowmalloc
String ID: $gfff$gfff
API String ID: 1524144516-4202476792
Opcode ID: d936499b14b76e66d130f8d05095c3ee707fe66b3643cec9522bfb7bd31049c9
Instruction ID: a1f49a1af14ad262180fdb8492e398854b21ffa398e0cdd58ffcf9427bcd6d89
Opcode Fuzzy Hash: d936499b14b76e66d130f8d05095c3ee707fe66b3643cec9522bfb7bd31049c9
Instruction Fuzzy Hash: 5ED1BD36714B818AE705EB76E4547AD63E1FB89BD8F104279DF0A6B7A8DF38C4468700

Function 000001FE8FAEEC80 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAEECD6
_errno.LIBCMT ref: 000001FE8FAEECDD
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEECE8

Strings

U, xrefs: 000001FE8FAEF264

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 30f2d96b9074e97b7c7e9f06a6e76ee1250dada0a486160a752ccb230227623d
Instruction ID: 451ba738ecfc4b6ee17813012619acf07ef1b3b1563fceefe9fffb3edea1854b
Opcode Fuzzy Hash: 30f2d96b9074e97b7c7e9f06a6e76ee1250dada0a486160a752ccb230227623d
Instruction Fuzzy Hash: 9912E132214EC386EB20AF25E4A43FE67E1F3847E4F554165EB4A47AB4EB39C446CB10

Function 000001FE8FADB480 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 279sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 000001FE8FADB4D4
CloseHandle.KERNEL32 ref: 000001FE8FADB50F

Part of subcall function 000001FE8FAE3E0C: _errno.LIBCMT ref: 000001FE8FAE3E2B
Part of subcall function 000001FE8FAE3E0C: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE3E37

Part of subcall function 000001FE8FAE3E0C: _errno.LIBCMT ref: 000001FE8FAE3E67

GetLocalTime.KERNEL32 ref: 000001FE8FADB568
wsprintfW.USER32 ref: 000001FE8FADB5AE
SetUnhandledExceptionFilter.KERNEL32 ref: 000001FE8FADB5BB
CloseHandle.KERNEL32 ref: 000001FE8FADB5E1

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

Part of subcall function 000001FE8FAE3FEC: _errno.LIBCMT ref: 000001FE8FAE4017
Part of subcall function 000001FE8FAE3FEC: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE4022

Sleep.KERNEL32 ref: 000001FE8FADB761
EnumWindows.USER32 ref: 000001FE8FADB781
Sleep.KERNEL32 ref: 000001FE8FADB795
EnumWindows.USER32 ref: 000001FE8FADB7AC
CreateEventA.KERNEL32 ref: 000001FE8FADB819
Sleep.KERNEL32 ref: 000001FE8FADB885
CloseHandle.KERNEL32 ref: 000001FE8FADB8BE
Sleep.KERNEL32 ref: 000001FE8FADB905
WaitForSingleObject.KERNEL32 ref: 000001FE8FADB932
CloseHandle.KERNEL32 ref: 000001FE8FADB93B
CloseHandle.KERNEL32 ref: 000001FE8FADB94C
WaitForSingleObject.KERNEL32 ref: 000001FE8FADB96F
CloseHandle.KERNEL32 ref: 000001FE8FADB978
CloseHandle.KERNEL32 ref: 000001FE8FADB989

Strings

206.238.220.204, xrefs: 000001FE8FADB61A
206.238.220.204, xrefs: 000001FE8FADB647
6666, xrefs: 000001FE8FADB626
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 000001FE8FADB5A0
8888, xrefs: 000001FE8FADB653

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandle$Sleep$_errno$EnumObjectSingleWaitWindows_invalid_parameter_noinfo$CreateEventExceptionFilterLocalTimeUnhandledmallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$206.238.220.204$206.238.220.204$6666$8888
API String ID: 1954332545-3840522574
Opcode ID: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction ID: 648d6ee6eec857974b65e14051a8240e3050cee98fc38dd964bffde7d9a09b42
Opcode Fuzzy Hash: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction Fuzzy Hash: 31E13675204AC686EB21BF21E8503FA37E0F785BE5F504275EB4A466B5CF78C54ACB40

Function 000001FE8FAED160 Relevance: 41.6, APIs: 15, Strings: 8, Instructions: 1317COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAED1D7
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAED1E2
iswctype.LIBCMT ref: 000001FE8FAED23A
_whiteout.LIBCMT ref: 000001FE8FAED253
iswctype.LIBCMT ref: 000001FE8FAED275

Strings

F, xrefs: 000001FE8FAED34B
h, xrefs: 000001FE8FAED367
w, xrefs: 000001FE8FAED375
*, xrefs: 000001FE8FAED342
%, xrefs: 000001FE8FAED22C
N, xrefs: 000001FE8FAED35E
I, xrefs: 000001FE8FAED354
L, xrefs: 000001FE8FAED359

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: iswctype$_errno_invalid_parameter_noinfo_whiteout
String ID: %$*$F$I$L$N$h$w
API String ID: 3700623789-4081125726
Opcode ID: 5a47cfcad9870c6166d9b56845e0fa845daf07801b6f0568e4e7a86a5554995e
Instruction ID: de49631c28e3436e3a2d328af9b9c82aacad6a2f80808c2b654935129433fe51
Opcode Fuzzy Hash: 5a47cfcad9870c6166d9b56845e0fa845daf07801b6f0568e4e7a86a5554995e
Instruction Fuzzy Hash: 02C2D372614AC286FB60AF2590A03FE7BE0F7507E4F550175EB8657BA9DB38C846CB10

Function 00000001400101E0 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 722COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D8C4: _getptd.LIBCMT ref: 000000014000D8D6

_errno.LIBCMT ref: 0000000140010253
_invalid_parameter_noinfo.LIBCMT ref: 000000014001025E
_fileno.LIBCMT ref: 0000000140010297
_errno.LIBCMT ref: 000000014001030A
_invalid_parameter_noinfo.LIBCMT ref: 0000000140010315
write_multi_char.LIBCMT ref: 00000001400108FF
write_multi_char.LIBCMT ref: 0000000140010931
write_multi_char.LIBCMT ref: 00000001400109D2
free.LIBCMT ref: 00000001400109EA
write_char.LIBCMT ref: 0000000140010B3D
write_char.LIBCMT ref: 0000000140010B68

Strings

@, xrefs: 0000000140010283
, xrefs: 00000001400108CF

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: ee6108753ae09ad0e7615fab02f18fe333000af5f4b43b756ad295984d004589
Instruction ID: a037e0bca2090a49e608da9cf892f971785984791d5dea9db18db7eb4fc2503c
Opcode Fuzzy Hash: ee6108753ae09ad0e7615fab02f18fe333000af5f4b43b756ad295984d004589
Instruction Fuzzy Hash: 5B5203726087A486FB668B56D4443EE6BA0B78D7C8F644006FBC55F6F5CBBAC841CB40

Function 000001FE8FAE8B00 Relevance: 30.5, APIs: 15, Strings: 2, Instructions: 721COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE4F78: _getptd.LIBCMT ref: 000001FE8FAE4F8A

_errno.LIBCMT ref: 000001FE8FAE8B73
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE8B7E
_errno.LIBCMT ref: 000001FE8FAE8C2A
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE8C35
write_multi_char.LIBCMT ref: 000001FE8FAE921F
write_multi_char.LIBCMT ref: 000001FE8FAE9251
write_multi_char.LIBCMT ref: 000001FE8FAE92F2
free.LIBCMT ref: 000001FE8FAE930A
write_char.LIBCMT ref: 000001FE8FAE945D
write_char.LIBCMT ref: 000001FE8FAE9488

Strings

, xrefs: 000001FE8FAE91EF
@, xrefs: 000001FE8FAE8BA3

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_getptdfree
String ID: $@
API String ID: 3872287888-1077428164
Opcode ID: 4ad68d052edb4066e7183ac2d39c2eb6e9cce887ff5bc7de5fef0a40779fa4e1
Instruction ID: e48e7314efc5960fd5bef39a2f7b4c95df11012b250d2878e5c55797fb80356d
Opcode Fuzzy Hash: 4ad68d052edb4066e7183ac2d39c2eb6e9cce887ff5bc7de5fef0a40779fa4e1
Instruction Fuzzy Hash: 02521072208FC286FB64AB9894643FE6BE1B7897F4F6410A9DB45676F5D738C842C700

Function 000001FE8FAE7F58 Relevance: 30.5, APIs: 15, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE4F78: _getptd.LIBCMT ref: 000001FE8FAE4F8A

_errno.LIBCMT ref: 000001FE8FAE7FC6
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE7FD1
_errno.LIBCMT ref: 000001FE8FAE807A
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE8085
write_multi_char.LIBCMT ref: 000001FE8FAE8652
write_multi_char.LIBCMT ref: 000001FE8FAE8684
write_multi_char.LIBCMT ref: 000001FE8FAE8730
free.LIBCMT ref: 000001FE8FAE8749
write_char.LIBCMT ref: 000001FE8FAE8888
write_char.LIBCMT ref: 000001FE8FAE88A9

Strings

, xrefs: 000001FE8FAE8622
@, xrefs: 000001FE8FAE7FF5

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_getptdfree
String ID: $@
API String ID: 3872287888-1077428164
Opcode ID: de789989f5679af20ad6b3dcbe4606d5ff2aeb23094d55da5cea7cfbe456f95e
Instruction ID: 1aa2b1f9e566e1a2ad52b604ba8658db2fac6751ad5a090063e60e7dd146668f
Opcode Fuzzy Hash: de789989f5679af20ad6b3dcbe4606d5ff2aeb23094d55da5cea7cfbe456f95e
Instruction Fuzzy Hash: F352EE72618EC28AFB65AB1494603FE6BE0F7417E8FB814A5DB56476F4CB79C842C700

Function 000001FE8FAD5820 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 123libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000001FE8FAD5867
GetProcAddress.KERNEL32 ref: 000001FE8FAD587A
FreeLibrary.KERNEL32 ref: 000001FE8FAD58A6
GetProcAddress.KERNEL32 ref: 000001FE8FAD58BD
CreateFileW.KERNEL32 ref: 000001FE8FAD5906
GetProcAddress.KERNEL32 ref: 000001FE8FAD594C
WriteFile.KERNEL32 ref: 000001FE8FAD598D
CloseHandle.KERNEL32 ref: 000001FE8FAD59A2
Sleep.KERNEL32 ref: 000001FE8FAD59B5
GetProcAddress.KERNEL32 ref: 000001FE8FAD59C5
FreeLibrary.KERNEL32 ref: 000001FE8FAD59E0

Strings

wininet.dll, xrefs: 000001FE8FAD584A
InternetOpenUrlW, xrefs: 000001FE8FAD58B3
InternetOpenW, xrefs: 000001FE8FAD586D
InternetReadFile, xrefs: 000001FE8FAD5942
MSIE 6.0, xrefs: 000001FE8FAD5880
InternetCloseHandle, xrefs: 000001FE8FAD59BB

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: d4b34376749ff32eba99456bda1799e250470724f7914fc7af70a848fadcdb06
Instruction ID: e10a062fadbc2c3e748dc53a776e894d82bde9b27b6309dfc7fa3b1bc76754e9
Opcode Fuzzy Hash: d4b34376749ff32eba99456bda1799e250470724f7914fc7af70a848fadcdb06
Instruction Fuzzy Hash: 0A416136315AC286EA21AB11B9147BA67E0FB89BF5F5403609F8A07B74DF3DC5468B04

Function 000001FE8FAE21F0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 294threadtimenetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE222B
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE2242
CreateWaitableTimerW.KERNEL32 ref: 000001FE8FAE2317
SetWaitableTimer.KERNEL32 ref: 000001FE8FAE237A
free.LIBCMT ref: 000001FE8FAE23AA
malloc.LIBCMT ref: 000001FE8FAE2409
free.LIBCMT ref: 000001FE8FAE2424
WSAWaitForMultipleEvents.WS2_32 ref: 000001FE8FAE24C2
GetLastError.KERNEL32 ref: 000001FE8FAE2554
WSAGetLastError.WS2_32 ref: 000001FE8FAE2588

Part of subcall function 000001FE8FAE1280: recv.WS2_32 ref: 000001FE8FAE12C2
Part of subcall function 000001FE8FAE1280: SetLastError.KERNEL32 ref: 000001FE8FAE12F0
Part of subcall function 000001FE8FAE1280: GetLastError.KERNEL32 ref: 000001FE8FAE1325

GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE25A5
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE25D1
CloseHandle.KERNEL32 ref: 000001FE8FAE25F3

Strings

bad allocation, xrefs: 000001FE8FAE2440
---------------> Client Worker Thread 0x%08X stoped <---------------, xrefs: 000001FE8FAE25D9
---------------> Client Worker Thread 0x%08X started <---------------, xrefs: 000001FE8FAE2233

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentErrorLastThread$TimerWaitablefree$CloseCreateEventsHandleMultipleWaitmallocrecv
String ID: ---------------> Client Worker Thread 0x%08X started <---------------$---------------> Client Worker Thread 0x%08X stoped <---------------$bad allocation
API String ID: 1496484581-800104984
Opcode ID: a483d8a4f07ee7daca44cb9bd2cf3cbe87aec68c923bb870d730149bae29c94a
Instruction ID: 3899cc218a9f275a38ce4c504b84abc2162644ddd6012ad8b844b9ec429301da
Opcode Fuzzy Hash: a483d8a4f07ee7daca44cb9bd2cf3cbe87aec68c923bb870d730149bae29c94a
Instruction Fuzzy Hash: 5FC15B32601F8286EB64AF25E9603BE63E4F748BE4F544275DB9A877A4DF38C456C310

Function 00007FF665C38B9C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF665C38BE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C391E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C39398
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C395AC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C39855
_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C39A52
memcpy_s.LIBCPMT ref: 00007FF665C39B3D
memcpy_s.LIBCPMT ref: 00007FF665C39BE8
memcpy_s.LIBCPMT ref: 00007FF665C39CAE

Strings

1#QNAN, xrefs: 00007FF665C39D6C
1#IND, xrefs: 00007FF665C39D54
1#SNAN, xrefs: 00007FF665C39D60
1#INF, xrefs: 00007FF665C39D7F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 32cef84cd1dc972d3f30f67bf0faffc5798012c0ccfd2e5b877c42ffa3d6f4fc
Instruction ID: 6d1076c65b2ae30a5fc8e10983aeaf41ab0be3b685c7492aac44063a55a61ad7
Opcode Fuzzy Hash: 32cef84cd1dc972d3f30f67bf0faffc5798012c0ccfd2e5b877c42ffa3d6f4fc
Instruction Fuzzy Hash: 9CB2A373A18296CAE7658F64D442BF977B1FB54B88F505139DA0EDBA84DF38AD00CB40

Function 000001FE8FAD98D0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000001FE8FAD9963
lstrlenW.KERNEL32 ref: 000001FE8FAD9985
wsprintfW.USER32 ref: 000001FE8FAD99E1
ExpandEnvironmentStringsW.KERNEL32 ref: 000001FE8FAD9A48
lstrcatW.KERNEL32 ref: 000001FE8FAD9A83
lstrcatW.KERNEL32 ref: 000001FE8FAD9A90
lstrcpyW.KERNEL32 ref: 000001FE8FAD9A9E
CreateProcessW.KERNEL32 ref: 000001FE8FAD9B0D

Strings

, xrefs: 000001FE8FAD9972
WinSta0\Default, xrefs: 000001FE8FAD9AC0
"%1, xrefs: 000001FE8FAD9A4E
h, xrefs: 000001FE8FAD9AB4
%s\shell\open\command, xrefs: 000001FE8FAD99D3

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: $"%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-2159495357
Opcode ID: dfd323aeb03c13e2d7b38d1d30753097b8c80399a4e347c45ec02a5e266f6bc6
Instruction ID: db1171a98fec2c2fbc2fda8d690aabdcb1d22cfff0f3c3716c39e427dd6014c6
Opcode Fuzzy Hash: dfd323aeb03c13e2d7b38d1d30753097b8c80399a4e347c45ec02a5e266f6bc6
Instruction Fuzzy Hash: 95617232320AC695EB21FB61D8507F963E5FB887D8F440265DB4D5AAB9DF78C206C700

Function 000001FE8FADBDD0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113synchronizationfilestringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 000001FE8FADBE0D
lstrcatW.KERNEL32 ref: 000001FE8FADBE1D
CreateMutexW.KERNEL32 ref: 000001FE8FADBE2A
WaitForSingleObject.KERNEL32 ref: 000001FE8FADBE3D
CreateFileW.KERNEL32 ref: 000001FE8FADBE6B
GetFileSize.KERNEL32 ref: 000001FE8FADBE79
CloseHandle.KERNEL32 ref: 000001FE8FADBE84
DeleteFileW.KERNEL32 ref: 000001FE8FADBE95
ReleaseMutex.KERNEL32 ref: 000001FE8FADBEA2
DirectInput8Create.DINPUT8 ref: 000001FE8FADBEC3
GetTickCount.KERNEL32 ref: 000001FE8FADBF7B

Strings

\sys_vdio.key, xrefs: 000001FE8FADBE13
<, xrefs: 000001FE8FADBF46

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeTickWaitlstrcat
String ID: <$\sys_vdio.key
API String ID: 3264482950-1798576524
Opcode ID: 1c1d0dc86c9ff9c9df10a55f1d15d96183aa64237dc76bcdb1e2e0bd592c1929
Instruction ID: dabe7d034f22c7fd8263536fcc49135b9a6c198271903df2c5935192ef8ddab5
Opcode Fuzzy Hash: 1c1d0dc86c9ff9c9df10a55f1d15d96183aa64237dc76bcdb1e2e0bd592c1929
Instruction Fuzzy Hash: EC511031300A8696EB20EF26E854BAA37A0F784BD8F508665DB4987774DF39C54AC700

Function 000001FE8FAD3A60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 186stringregistrycomCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 000001FE8FAD3AF5
lstrcatW.KERNEL32 ref: 000001FE8FAD3B05
CoCreateInstance.OLE32 ref: 000001FE8FAD3B50
wsprintfW.USER32 ref: 000001FE8FAD3C45
RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD3C6C
RegQueryValueExW.ADVAPI32 ref: 000001FE8FAD3CBE
lstrcatW.KERNEL32 ref: 000001FE8FAD3CD2
lstrcatW.KERNEL32 ref: 000001FE8FAD3CE2
RegCloseKey.ADVAPI32 ref: 000001FE8FAD3CEC

Part of subcall function 000001FE8FAD3970: CreateToolhelp32Snapshot.KERNEL32 ref: 000001FE8FAD39B1
Part of subcall function 000001FE8FAD3970: Process32FirstW.KERNEL32 ref: 000001FE8FAD39D0
Part of subcall function 000001FE8FAD3970: Process32NextW.KERNEL32 ref: 000001FE8FAD3A10
Part of subcall function 000001FE8FAD3970: CloseHandle.KERNEL32 ref: 000001FE8FAD3A1D

lstrlenW.KERNEL32 ref: 000001FE8FAD3D23
lstrcatW.KERNEL32 ref: 000001FE8FAD3D37

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 000001FE8FAD3C3A

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: lstrcat$CloseCreateProcess32$FirstHandleInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
API String ID: 2719888535-4035668053
Opcode ID: d33f07defdf78316018c5fc0878d74b5aedf32f29980ee74f23bdecb8d2c4bf9
Instruction ID: 9b766272b38d3c29fef1b14fbe7f0a980f5a6b463d2ebf42aa0216ddc9c1efa5
Opcode Fuzzy Hash: d33f07defdf78316018c5fc0878d74b5aedf32f29980ee74f23bdecb8d2c4bf9
Instruction Fuzzy Hash: 44915C76700B9186EB10EF65E8506ED3BB1F784BA8F504266DF895BB68DF38C506CB00

Function 000001FE8FAEFD10 Relevance: 20.3, APIs: 13, Instructions: 754COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE4F78: _getptd.LIBCMT ref: 000001FE8FAE4F8A

_errno.LIBCMT ref: 000001FE8FAEFD87
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEFD92
DecodePointer.KERNEL32 ref: 000001FE8FAF036C
DecodePointer.KERNEL32 ref: 000001FE8FAF03AD
DecodePointer.KERNEL32 ref: 000001FE8FAF03D2
write_multi_char.LIBCMT ref: 000001FE8FAF046C
write_multi_char.LIBCMT ref: 000001FE8FAF04A1
write_char.LIBCMT ref: 000001FE8FAF04ED
write_multi_char.LIBCMT ref: 000001FE8FAF0545
free.LIBCMT ref: 000001FE8FAF056C
_errno.LIBCMT ref: 000001FE8FAF0827
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF0832

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno_invalid_parameter_noinfo$_getptdfreewrite_char
String ID:
API String ID: 3562693915-0
Opcode ID: 43b494f0418648be60998cf239ea68d13273c4f8f163afde2bbbfde4244db2c5
Instruction ID: 0a8d0194a4afb4689444e99c16f835c381b1321765cf70508f278942cf86e70f
Opcode Fuzzy Hash: 43b494f0418648be60998cf239ea68d13273c4f8f163afde2bbbfde4244db2c5
Instruction Fuzzy Hash: 6D62C472604AC286FB64AB1594903FE6BF1F7817E4F2482B5DB465B6F4DB79C842CB00

Function 000001FE8FAD9B40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD9BB6
RegQueryValueExW.ADVAPI32 ref: 000001FE8FAD9C29
lstrcpyW.KERNEL32 ref: 000001FE8FAD9D80
RegCloseKey.ADVAPI32 ref: 000001FE8FAD9D92
RegCloseKey.ADVAPI32 ref: 000001FE8FAD9D9D

Strings

%08X, xrefs: 000001FE8FAD9D2E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: e5e4124dce340e64fc084ef5771f100bb91bccaaee7df38b6378f83399f0ca44
Instruction ID: 17ef9ae2c511079b50018cab1cb0fae5f91225b77501d61112ecaafd34fbe8bf
Opcode Fuzzy Hash: e5e4124dce340e64fc084ef5771f100bb91bccaaee7df38b6378f83399f0ca44
Instruction Fuzzy Hash: 39514E71318AC196E760EB11E4847EAA3E0F7C87E4F904275EB8946AB8DF38C546CB44

Function 000001FE8FAD41F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAD2A10: SysFreeString.OLEAUT32 ref: 000001FE8FAD2A6D
Part of subcall function 000001FE8FAD2A10: SysAllocString.OLEAUT32 ref: 000001FE8FAD2AB9

GetTokenInformation.ADVAPI32 ref: 000001FE8FAD4266
GetLastError.KERNEL32 ref: 000001FE8FAD4270
GetProcessHeap.KERNEL32 ref: 000001FE8FAD4283
HeapAlloc.KERNEL32 ref: 000001FE8FAD4292
GetTokenInformation.ADVAPI32 ref: 000001FE8FAD42BE
LookupAccountSidW.ADVAPI32 ref: 000001FE8FAD42FC
GetLastError.KERNEL32 ref: 000001FE8FAD4306
GetProcessHeap.KERNEL32 ref: 000001FE8FAD4356
HeapFree.KERNEL32 ref: 000001FE8FAD4364

Strings

NONE_MAPPED, xrefs: 000001FE8FAD4313
Network, xrefs: 000001FE8FAD41F0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountLookup
String ID: NONE_MAPPED$Network
API String ID: 1972796461-3150097737
Opcode ID: dc04e29aa2e29e93e0f6f97a95982f0179af726db92d6d1e0a5c71dd7b62d461
Instruction ID: 857414680e065d293d70e8fb3968d312326d659195b0965462510828fa12f769
Opcode Fuzzy Hash: dc04e29aa2e29e93e0f6f97a95982f0179af726db92d6d1e0a5c71dd7b62d461
Instruction Fuzzy Hash: EE414C32204AC286EA61BB15E8547EAA3E0F789BE5F544275EF494BB74DF3CC51AC700

Function 000001FE8FAD5A10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 102threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 000001FE8FAD5AB0
CreateProcessA.KERNEL32 ref: 000001FE8FAD5B18
VirtualAllocEx.KERNEL32 ref: 000001FE8FAD5B49
WriteProcessMemory.KERNEL32 ref: 000001FE8FAD5B6A
GetThreadContext.KERNEL32 ref: 000001FE8FAD5B84
SetThreadContext.KERNEL32 ref: 000001FE8FAD5B9E
ResumeThread.KERNEL32 ref: 000001FE8FAD5BB1

Strings

Windows\System32\svchost.exe, xrefs: 000001FE8FAD5AB6
@, xrefs: 000001FE8FAD5B3E
%s%s, xrefs: 000001FE8FAD5AC4
h, xrefs: 000001FE8FAD5A84

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\svchost.exe$h
API String ID: 4033188109-2160973000
Opcode ID: 4603eddee24f2c2698b3de494bfe0deafb39d4e7db297f61fd0084748d6fe062
Instruction ID: 5a8aac706ce479c370bd0d092bd96a4a09965f40fb57a56939eccf08e28f81c8
Opcode Fuzzy Hash: 4603eddee24f2c2698b3de494bfe0deafb39d4e7db297f61fd0084748d6fe062
Instruction Fuzzy Hash: 8641A432214BC289EB20EF61E8007EAB7E5F7847D8F444165DB895BA68DF79C216CB04

Function 0000000140002D20 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 101threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 0000000140002DC4
CreateProcessA.KERNEL32 ref: 0000000140002E2B
VirtualAllocEx.KERNEL32 ref: 0000000140002E5A
WriteProcessMemory.KERNEL32 ref: 0000000140002E79
GetThreadContext.KERNEL32 ref: 0000000140002E9A
SetThreadContext.KERNEL32 ref: 0000000140002EB8
ResumeThread.KERNEL32 ref: 0000000140002ECA

Strings

%s%s, xrefs: 0000000140002DD9
@, xrefs: 0000000140002E4F
h, xrefs: 0000000140002D8E
Windows\System32\tracerpt.exe, xrefs: 0000000140002DCA

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\tracerpt.exe$h
API String ID: 4033188109-528786837
Opcode ID: eff8000e3a53d83792f7adea36c654d308863d7fa0e77b685c867a66f522848f
Instruction ID: d9c59347ba433200f8598016dfa5e5bf01fa7bfbe9b42c51a5adf8784e46ff0a
Opcode Fuzzy Hash: eff8000e3a53d83792f7adea36c654d308863d7fa0e77b685c867a66f522848f
Instruction Fuzzy Hash: 5F414B72204AC185E732DF22F85079AB3A5F7CCB89F444015EB8D47AA9EF39C555CB10

Function 000001FE8FAD5040 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001FE8FAD5055
OpenProcessToken.ADVAPI32 ref: 000001FE8FAD5068
LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD5088
AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD50B2
CloseHandle.KERNEL32 ref: 000001FE8FAD50BD
GetModuleHandleA.KERNEL32 ref: 000001FE8FAD50CA
GetProcAddress.KERNEL32 ref: 000001FE8FAD50DA
OpenProcess.KERNEL32 ref: 000001FE8FAD5112

Strings

SeDebugPrivilege, xrefs: 000001FE8FAD5077
NtSetInformationProcess, xrefs: 000001FE8FAD50D0
NtDll.dll, xrefs: 000001FE8FAD50C3

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Process$HandleOpenToken$AddressAdjustCloseCurrentLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 2787840106-1577477132
Opcode ID: de3b0c7de4938cd4d9b60420ee93e2d79fa07d28ae88f8e18ff7779c5da0ff56
Instruction ID: e164c8234c3397e57b38ccb96170548b66ff291fe3b09308a5cb6350ce4f740b
Opcode Fuzzy Hash: de3b0c7de4938cd4d9b60420ee93e2d79fa07d28ae88f8e18ff7779c5da0ff56
Instruction Fuzzy Hash: C7215C71310B8286EB10EB21F4147EA77E0FB89BA4F5402659B4E4B764DF79C18A8B40

Function 000001FE8FAE7B8C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 000001FE8FAE7BD1
_set_error_mode.LIBCMT ref: 000001FE8FAE7BE2
GetModuleFileNameW.KERNEL32 ref: 000001FE8FAE7C44
GetStdHandle.KERNEL32 ref: 000001FE8FAE7D59
WriteFile.KERNEL32 ref: 000001FE8FAE7DB6

Strings

..., xrefs: 000001FE8FAE7C96
<program name unknown>, xrefs: 000001FE8FAE7C53
Microsoft Visual C++ Runtime Library, xrefs: 000001FE8FAE7CFD
Runtime Error!Program: , xrefs: 000001FE8FAE7C11

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: File_set_error_mode$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1085760375-4022980321
Opcode ID: a75b4c166f4ff9e0fa6da0bd796e45336551005c980250f4ac4646e2192a69c9
Instruction ID: 7044906b8dbc0a8cc0b2b94ea9d60a13714cb2958bdc8192a6e850c73157f449
Opcode Fuzzy Hash: a75b4c166f4ff9e0fa6da0bd796e45336551005c980250f4ac4646e2192a69c9
Instruction Fuzzy Hash: 1D51CF35310AC242FB64FB25E8617FA63E4F785BE4F4442B5AF6943BA6DB38C5078600

Function 00007FF665B49F50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 145windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B49F89
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B49FE7
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B4A03E

Strings

Too many open files, xrefs: 00007FF665B4A0A9
No such file or directory, xrefs: 00007FF665B4A0BB
Permission denied, xrefs: 00007FF665B4A0B2
The specified module could not be found., xrefs: 00007FF665B4A05E
No space left on device, xrefs: 00007FF665B4A0A0

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: No space left on device$No such file or directory$Permission denied$The specified module could not be found.$Too many open files
API String ID: 1365068426-3654939424
Opcode ID: be521251e698086a4d4e1ef04526cc968ae02a472e1e1e25b1f7a3c59cb21574
Instruction ID: 9928ad499c5d7f03717fb16cd827c2f307f1011553efe9c12e30b83773a5c03b
Opcode Fuzzy Hash: be521251e698086a4d4e1ef04526cc968ae02a472e1e1e25b1f7a3c59cb21574
Instruction Fuzzy Hash: B6513F32A04A11C6E7648F29D8A257C33B1BB8AF94F549135EA1EDBB98DF39DC45C700

Function 000001FE8FADCBF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 000001FE8FADCC2A
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001FE8FADCD21
CreateEventW.KERNEL32 ref: 000001FE8FADCD62
CreateEventW.KERNEL32 ref: 000001FE8FADCD90
CreateEventW.KERNEL32 ref: 000001FE8FADCDBE

Part of subcall function 000001FE8FAD72B0: GdipDisposeImage.GDIPLUS ref: 000001FE8FAD72ED
Part of subcall function 000001FE8FAD72B0: GdipFree.GDIPLUS ref: 000001FE8FAD72FB

Strings

<, xrefs: 000001FE8FADCC8C
`, xrefs: 000001FE8FADCC9A
<, xrefs: 000001FE8FADCC85

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateEvent$Gdip$CountCriticalDisposeFreeImageInitializeSectionSpin
String ID: <$<$`
API String ID: 3048658606-2220807966
Opcode ID: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction ID: 81fb591f3e981caaa51f6d86859b1fc663d8d199127dcbc4591baa8a3b32ccf9
Opcode Fuzzy Hash: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction Fuzzy Hash: 18518B72201B9282E719AF34E8007AD37E9F745FA8F54423D9F594BBA8CF388452CB50

Function 0000000140005100 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 000000014000513A
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000140005231
CreateEventW.KERNEL32 ref: 0000000140005272
CreateEventW.KERNEL32 ref: 00000001400052A0
CreateEventW.KERNEL32 ref: 00000001400052CE

Strings

`, xrefs: 00000001400051AA
<, xrefs: 000000014000519C
<, xrefs: 0000000140005195

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpin
String ID: <$<$`
API String ID: 1354401513-2220807966
Opcode ID: e16cce76c1c69b643359e72815a3e599258c26f66a7f0d5d82e61e046c666fe7
Instruction ID: 3b636f3733dae5a9be956b2963b6027ab5ad5dbd70e0a2f7adbe16c279c113d3
Opcode Fuzzy Hash: e16cce76c1c69b643359e72815a3e599258c26f66a7f0d5d82e61e046c666fe7
Instruction Fuzzy Hash: 29518AB2201B9182E719DF35F81079E36A8F74AF98F04422DAF594BBA9CF788455CB44

Function 000001FE8FAD56A0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001FE8FAD56B7
OpenProcessToken.ADVAPI32 ref: 000001FE8FAD56CA
LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD56F5
AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD5718
GetLastError.KERNEL32 ref: 000001FE8FAD571E
CloseHandle.KERNEL32 ref: 000001FE8FAD572D
CloseHandle.KERNEL32 ref: 000001FE8FAD5748

Strings

SeShutdownPrivilege, xrefs: 000001FE8FAD56DB

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 991f30af3a6744b5f69f974a0569d38b3971da61082ad6ce6e3ec9eac49991d0
Instruction ID: 6b27e3adf3b3831f395f18fd9879cecf68cb1600e2298e7c7e7f0ca02f634e67
Opcode Fuzzy Hash: 991f30af3a6744b5f69f974a0569d38b3971da61082ad6ce6e3ec9eac49991d0
Instruction Fuzzy Hash: E0119372320A8586E750AF24E4557AA77E0F788BE0F540661EB4E8B674DF3CC086C700

Function 000001FE8FAD8997 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47processshutdownCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000001FE8FAD89A3
GetCommandLineW.KERNEL32 ref: 000001FE8FAD89A9
GetStartupInfoW.KERNEL32 ref: 000001FE8FAD89B6
CreateProcessW.KERNEL32 ref: 000001FE8FAD89F3
ExitProcess.KERNEL32 ref: 000001FE8FAD89FC
ExitProcess.KERNEL32 ref: 000001FE8FAD8A05

Part of subcall function 000001FE8FAD56A0: GetCurrentProcess.KERNEL32 ref: 000001FE8FAD56B7
Part of subcall function 000001FE8FAD56A0: OpenProcessToken.ADVAPI32 ref: 000001FE8FAD56CA
Part of subcall function 000001FE8FAD56A0: LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD56F5
Part of subcall function 000001FE8FAD56A0: AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD5718
Part of subcall function 000001FE8FAD56A0: GetLastError.KERNEL32 ref: 000001FE8FAD571E
Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD572D

ExitWindowsEx.USER32 ref: 000001FE8FAD8A1B

Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD5748

Strings

, xrefs: 000001FE8FAD89E7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Process$Exit$CloseHandleToken$AdjustCommandCreateCurrentErrorFileInfoLastLineLookupModuleNameOpenPrivilegePrivilegesStartupValueWindows
String ID:
API String ID: 2667809516-3916222277
Opcode ID: a274c2ab89dcb3f931120a1ddd554a39c3b12f7e05ca43a7662b359e7219e845
Instruction ID: 27e7fec709bc86e21e826ae1b9520898b3d8b5a2b73723a6aed15ab8f6973941
Opcode Fuzzy Hash: a274c2ab89dcb3f931120a1ddd554a39c3b12f7e05ca43a7662b359e7219e845
Instruction Fuzzy Hash: CD116376600A828AE764AF30F8557ED73A4FB847E4F5403659B4A07AB8CF3DC146C700

Function 000001FE8FAEC7E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE4F78: _getptd.LIBCMT ref: 000001FE8FAE4F8A

_errno.LIBCMT ref: 000001FE8FAEC830
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEC83A
_errno.LIBCMT ref: 000001FE8FAEC85C
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEC868
_errno.LIBCMT ref: 000001FE8FAEC890
_cftoe_l.LIBCMT ref: 000001FE8FAEC8D4

Strings

gfffffff, xrefs: 000001FE8FAECB5F

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 556f12f472df7c314a951936d8e99cd1d3ce7c173c0ae253b973df429c375633
Instruction ID: 144f073464c2cf205b3bf5e7f8cf5075c96caaa5800e2c1d8e3a4c9f4cea63b1
Opcode Fuzzy Hash: 556f12f472df7c314a951936d8e99cd1d3ce7c173c0ae253b973df429c375633
Instruction Fuzzy Hash: D4B16273714BC686EB11EB29D2603FD7BE5A3117E4F0486B1CB69877E6E6388416C300

Function 000000014001364C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000D8C4: _getptd.LIBCMT ref: 000000014000D8D6

_errno.LIBCMT ref: 000000014001369C
_invalid_parameter_noinfo.LIBCMT ref: 00000001400136A6
_errno.LIBCMT ref: 00000001400136C8
_invalid_parameter_noinfo.LIBCMT ref: 00000001400136D4
_errno.LIBCMT ref: 00000001400136FC
_cftoe_l.LIBCMT ref: 0000000140013740

Strings

gfffffff, xrefs: 00000001400139CB

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: ec41a007deb0b9d246c5b2927c9b2503f4cdaddccc49e3f3ffb37e787d51f368
Instruction ID: 648b1be543de883bf8739b7f96fd86269f1c3cb6cbbc0ac56d18a902ce507f8f
Opcode Fuzzy Hash: ec41a007deb0b9d246c5b2927c9b2503f4cdaddccc49e3f3ffb37e787d51f368
Instruction Fuzzy Hash: 0EB154B3B047C486FB16CB2A95453DD7BA5E7197E4F048621EF990B7E6EA3AC414C310

Function 000001FE8FAE3A20 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000001FE8FAE656B
RtlLookupFunctionEntry.KERNEL32 ref: 000001FE8FAE658A
RtlVirtualUnwind.KERNEL32 ref: 000001FE8FAE65D6
IsDebuggerPresent.KERNEL32 ref: 000001FE8FAE6648
SetUnhandledExceptionFilter.KERNEL32 ref: 000001FE8FAE6660
UnhandledExceptionFilter.KERNEL32 ref: 000001FE8FAE666D
GetCurrentProcess.KERNEL32 ref: 000001FE8FAE6686
TerminateProcess.KERNEL32 ref: 000001FE8FAE6694

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a231cb6aec9b0e57251850d34f2610e13ffa11949d7c845deaba270be49158b0
Instruction ID: dcfb31734eecfb82d81d1bd8382e9da08a471523d492007498bea9a88a44a913
Opcode Fuzzy Hash: a231cb6aec9b0e57251850d34f2610e13ffa11949d7c845deaba270be49158b0
Instruction Fuzzy Hash: 4531F135204BC685EA20AF24F8503AA73E8F7897E4F500576DB8E437B4EF79C0968700

Function 000001FE8FAD8933 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 000001FE8FAD8967
ClearEventLogW.ADVAPI32 ref: 000001FE8FAD897A
CloseEventLog.ADVAPI32 ref: 000001FE8FAD8983

Strings

System, xrefs: 000001FE8FAD894C
Application, xrefs: 000001FE8FAD8933
Security, xrefs: 000001FE8FAD8941

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 64425f49ed47b34c4a421d998de9bdb23b72944f8aa1223f8da030d793edcbb5
Instruction ID: 9c718b912efaac75b27f64f5cb6cf1bbf0dba4edb5bf563f66d5b2641be17c0a
Opcode Fuzzy Hash: 64425f49ed47b34c4a421d998de9bdb23b72944f8aa1223f8da030d793edcbb5
Instruction Fuzzy Hash: C101DA36605B8285FA26AB25F4543F967E4FB887E8F5402768B5D47774EE38C1828600

Function 00007FF665B72C00 Relevance: 9.5, APIs: 6, Instructions: 456windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF665B72E4E
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF665B730C3
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF665B731D1
PostMessageW.USER32 ref: 00007FF665B732BF

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: MessageMultipleObjectsWait$PeekPost
String ID:
API String ID: 105686753-0
Opcode ID: bde40b9d549f6fae919aee2e8763a9875290cbc4817eaa1538dff8214ff397bc
Instruction ID: fe02b089ffe7294fbf662c1a2dc951d4ab1ccf13c7b7b858236301b3edccfc01
Opcode Fuzzy Hash: bde40b9d549f6fae919aee2e8763a9875290cbc4817eaa1538dff8214ff397bc
Instruction Fuzzy Hash: 2022C532E09A81C6EB50CB24C8623BD6770FB9AB88F545131DA4D9BA95DF38FD85C700

Function 00007FF665C2A144 Relevance: 9.3, APIs: 6, Instructions: 280timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF665C2A18E

Part of subcall function 00007FF665C2932C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665C29340

_get_daylight.LIBCMT ref: 00007FF665C2A17D

Part of subcall function 00007FF665C2938C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665C293A0

_get_daylight.LIBCMT ref: 00007FF665C2A406
_get_daylight.LIBCMT ref: 00007FF665C2A417
_get_daylight.LIBCMT ref: 00007FF665C2A428
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF665C2A634), ref: 00007FF665C2A44F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID:
API String ID: 435049134-0
Opcode ID: 137aa6c628618abedf1ddfa1769073cfff43dc3b72dfa687c4f3e24b5cce473d
Instruction ID: c2b4b0c913983ed802639f1c4ecbfd5fbcf2d75ed2147b5926465ea49122a889
Opcode Fuzzy Hash: 137aa6c628618abedf1ddfa1769073cfff43dc3b72dfa687c4f3e24b5cce473d
Instruction Fuzzy Hash: BCB1D123A08642C6E710EF26D8525BA7771BB84F94F446139EA4DCBAD5DF7CEC418700

Function 00007FF665C27648 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF665C276C1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF665C276D9
RtlVirtualUnwind.KERNEL32 ref: 00007FF665C27714
IsDebuggerPresent.KERNEL32 ref: 00007FF665C2774D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF665C27757
UnhandledExceptionFilter.KERNEL32 ref: 00007FF665C27762

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 87ff3d6eeb635e790895d91028e87dc3f406e0927c6df138aeb043b668ae2b89
Instruction ID: f205b57ae8caca4ab87d6bb7653a084eada612bf6c5f861baf2cd4302dc0f601
Opcode Fuzzy Hash: 87ff3d6eeb635e790895d91028e87dc3f406e0927c6df138aeb043b668ae2b89
Instruction Fuzzy Hash: F1315D33618F81C6EB60CF25E8416AA73B4FB88B54F501139EA8D87B98DF3CD9458B00

Function 00007FF665BB1B50 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 303fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF665BB1BE5
DeviceIoControl.KERNEL32 ref: 00007FF665BB1C64
CloseHandle.KERNEL32 ref: 00007FF665BB1DC1

Strings

^Volume\{([a-z]|[0-9]|-)+\}\\, xrefs: 00007FF665BB1DDF
\\?\, xrefs: 00007FF665BB1E56

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: \\?\$^Volume\{([a-z]|[0-9]|-)+\}\\
API String ID: 33631002-4034573397
Opcode ID: a2c130af8c3b6cf50b6a52d76a7e523c0275167e47f78f66250d50651771c600
Instruction ID: 0a39c67c8c44419bef25b1aa37e300bc9fb01d880b24c1439868ba6a575f7ee7
Opcode Fuzzy Hash: a2c130af8c3b6cf50b6a52d76a7e523c0275167e47f78f66250d50651771c600
Instruction Fuzzy Hash: C1D18F32A08A11C6EB20DF25E4A266D73B0EB8AB94F544231DA5DCB6D4DF7CDC42CB40

Function 000001FE8FAD51C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001FE8FAD51D3
OpenProcessToken.ADVAPI32 ref: 000001FE8FAD51E6
LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD5215
AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD525A

Strings

SeDebugPrivilege, xrefs: 000001FE8FAD520C

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: 3df3e9674ee82a8dd9461d8c8e16cfb09a5d387e4b33b5c3f15a18fe30b99d19
Instruction ID: 0fdc09aa7aa71e8e8b8f1b235ccd94793b74b2d7419a3381aaaf67889640ec68
Opcode Fuzzy Hash: 3df3e9674ee82a8dd9461d8c8e16cfb09a5d387e4b33b5c3f15a18fe30b99d19
Instruction Fuzzy Hash: 68118236315BC282EB10AF55F4556AAB7E0F788798F840165EB8E47B68DF7DC009CB00

Function 000001FE8FAD4F20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI ref: 000001FE8FAD4F40
GlobalMemoryStatusEx.KERNEL32 ref: 000001FE8FAD4FA8

Strings

@, xrefs: 000001FE8FAD4FA0
VMware, xrefs: 000001FE8FAD4F85
C:\Program Files\VMware\VMware Tools\, xrefs: 000001FE8FAD4F39

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: DirectoryGlobalMemoryPathStatus
String ID: @$C:\Program Files\VMware\VMware Tools\$VMware
API String ID: 2404642766-3945705589
Opcode ID: 9eef2ea4262c92f19372715fd3c3978f4fca6487c545fe70191300ad05ea55d3
Instruction ID: 3ddc528a5c913fa7ee6992a479804db3e3848d8ce63e90fe8c20ae5d6ed70f92
Opcode Fuzzy Hash: 9eef2ea4262c92f19372715fd3c3978f4fca6487c545fe70191300ad05ea55d3
Instruction Fuzzy Hash: 55113C36614AC281FA60FB11E4213FA63D0F7947D4F8041A59B4E466A5DF2CC10ACB00

Function 00007FF665C2D588 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF665C2D5F7
WriteFile.KERNEL32 ref: 00007FF665C2D8AE
WriteFile.KERNEL32 ref: 00007FF665C2D900
GetLastError.KERNEL32 ref: 00007FF665C2DA02
GetLastError.KERNEL32 ref: 00007FF665C2DA62

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 401fe4669268a13e147bc2a0c3f252077b6128bc5c543b1d41c0b6380ef1694e
Instruction ID: 8a428a5d137ea67088e0517af247bf869092587195785e8ea62d1a20d7ed69d8
Opcode Fuzzy Hash: 401fe4669268a13e147bc2a0c3f252077b6128bc5c543b1d41c0b6380ef1694e
Instruction Fuzzy Hash: 19E10273B18A81CAE700CF64D0415AD7BB0FB55B98F14913ADE4E9BB99DE38D816C740

Function 00007FF665BC6BF0 Relevance: 7.6, Strings: 5, Instructions: 1337COMMON

Download Yara Rule

Strings

QDateTimeParser::parse Internal error 3 (%s %s), xrefs: 00007FF665BC78A4
QDateTimeParser::parse Internal error (%s), xrefs: 00007FF665BC70EA
QDateTimeParser::parse Internal error 2, xrefs: 00007FF665BC7214
default, xrefs: 00007FF665BC70DC, 00007FF665BC7206, 00007FF665BC7896, 00007FF665BC7D25
QDateTimeParser::parse Internal error 4 (%s), xrefs: 00007FF665BC7D33

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QDateTimeParser::parse Internal error (%s)$QDateTimeParser::parse Internal error 2$QDateTimeParser::parse Internal error 3 (%s %s)$QDateTimeParser::parse Internal error 4 (%s)$default
API String ID: 0-412086101
Opcode ID: 2f91bf01c8acce56a866329e44f367f359a3cfcc74283a7fccceca5c0ea94de4
Instruction ID: 890582ec052ccb4d137294520db5e1011ff05bc4912e941611ea2498be738947
Opcode Fuzzy Hash: 2f91bf01c8acce56a866329e44f367f359a3cfcc74283a7fccceca5c0ea94de4
Instruction Fuzzy Hash: 89D2A532A08642CAEB20CF24D4622ED77B1FB8AB98F504135DA4DDB699DF78ED45C740

Function 000001FE8FAD3970 Relevance: 7.6, APIs: 5, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000001FE8FAD39B1
Process32FirstW.KERNEL32 ref: 000001FE8FAD39D0
Process32NextW.KERNEL32 ref: 000001FE8FAD3A10
CloseHandle.KERNEL32 ref: 000001FE8FAD3A1D
CloseHandle.KERNEL32 ref: 000001FE8FAD3A46

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 0e6cdfb65babf1bf3c4be1fd3b5a506397d62204a4a8a4036368e1bef1891cbb
Instruction ID: dc4508cb2d76af8f63cb9a5d54891b5af4f089befe9778edfbb4c30398c5907f
Opcode Fuzzy Hash: 0e6cdfb65babf1bf3c4be1fd3b5a506397d62204a4a8a4036368e1bef1891cbb
Instruction Fuzzy Hash: 5A214F353146C286EB64AB15E4543BA67E0FB88BE4F448375DB9A467B4EF38C546C700

Function 000001FE8FAD4140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000001FE8FAD419C
CheckTokenMembership.ADVAPI32 ref: 000001FE8FAD41B6
FreeSid.ADVAPI32 ref: 000001FE8FAD41C1

Strings

Network, xrefs: 000001FE8FAD4140

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: Network
API String ID: 3429775523-2939797024
Opcode ID: 8ad016942c7da11828b6f5aa434babc68504aae5a5167266cc484b2e2891f1f3
Instruction ID: 623846215554827cee43c52931aaab068613cdeaee9f8e6822c55899a05064a8
Opcode Fuzzy Hash: 8ad016942c7da11828b6f5aa434babc68504aae5a5167266cc484b2e2891f1f3
Instruction Fuzzy Hash: AA11FE7261878587E7109F25F49075BBBA0F788794F50122AE78A47B78DB3CD149CF00

Function 00007FF665C2A3D8 Relevance: 6.1, APIs: 4, Instructions: 149timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF665C2A406

Part of subcall function 00007FF665C2938C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665C293A0

_get_daylight.LIBCMT ref: 00007FF665C2A417

Part of subcall function 00007FF665C2932C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665C29340

_get_daylight.LIBCMT ref: 00007FF665C2A428

Part of subcall function 00007FF665C2935C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF665C29370

Part of subcall function 00007FF665C310CC: HeapFree.KERNEL32(?,?,?,00007FF665C37920,?,?,?,00007FF665C37963,?,?,00000001,00007FF665C37E28,?,?,?,00007FF665C37D5B), ref: 00007FF665C310E2
Part of subcall function 00007FF665C310CC: GetLastError.KERNEL32(?,?,?,00007FF665C37920,?,?,?,00007FF665C37963,?,?,00000001,00007FF665C37E28,?,?,?,00007FF665C37D5B), ref: 00007FF665C310F4

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF665C2A634), ref: 00007FF665C2A44F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 2b8e42fba298950875784907ae90498541b511e2692174a64a3f91a37cb06da3
Instruction ID: 4f4a36c9f4c5f1af7426e15b32e8cb38c2742feeec9717a174fef90660697dc2
Opcode Fuzzy Hash: 2b8e42fba298950875784907ae90498541b511e2692174a64a3f91a37cb06da3
Instruction Fuzzy Hash: E3615F33A18642CAE710DF25D9925B97770BB88F84F446239EA4DCB6A5DF7CEC418740

Function 000001FE8FAF4288 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Strings

1#SNAN, xrefs: 000001FE8FAF4372
1#INF, xrefs: 000001FE8FAF43EE
1#IND, xrefs: 000001FE8FAF43B7
1#QNAN, xrefs: 000001FE8FAF4425

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 48b426091ca7310074e47ba4353bcb83d81d6977aa3c1439b94c3d96a45d4ada
Instruction ID: 0ebf4d39cef2465f3cd29ca2a0f3054db080138c8a72bf1685da33d1e682f981
Opcode Fuzzy Hash: 48b426091ca7310074e47ba4353bcb83d81d6977aa3c1439b94c3d96a45d4ada
Instruction Fuzzy Hash: 0962C176B242928BF724AFA5C000BFD37F1F754B98F509265DF057BAA8E6348926C740

Function 00007FF665C32934 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C32998

Strings

gfffffff, xrefs: 00007FF665C32C49

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 7945e267a0154df2b998390322b850647b738dcd4beeb1d66246e91b04171181
Instruction ID: c2a04e71038a9fcf04c082cd35c8d5b9245b166d3c7cef3051c71fd0183ebeec
Opcode Fuzzy Hash: 7945e267a0154df2b998390322b850647b738dcd4beeb1d66246e91b04171181
Instruction Fuzzy Hash: C8912663B083CA86EF158F29D8217A96BB1AB51F84F05903ACE4D8B795DE3CED018340

Function 00007FF665B5B9B0 Relevance: 5.5, Strings: 4, Instructions: 467COMMON

Download Yara Rule

Strings

QMetaMethod::invoke: Unable to handle unregistered datatype '%s', xrefs: 00007FF665B5BF47
QMetaMethod::invoke: Unable to invoke methods with return values in queued connections, xrefs: 00007FF665B5BDF5
QMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p), xrefs: 00007FF665B5C03A
default, xrefs: 00007FF665B5BDEA, 00007FF665B5BF34, 00007FF665B5C021

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)$QMetaMethod::invoke: Unable to handle unregistered datatype '%s'$QMetaMethod::invoke: Unable to invoke methods with return values in queued connections$default
API String ID: 0-3719105355
Opcode ID: 0a1dd0c491e2e491c67967bac0761aa9f640679ed4053f5351dec3832318cb0d
Instruction ID: 0056f83235fd9ab42da047dea7c657cb4daef6ad858df02c3935d9b1e239623b
Opcode Fuzzy Hash: 0a1dd0c491e2e491c67967bac0761aa9f640679ed4053f5351dec3832318cb0d
Instruction Fuzzy Hash: 08225E32A09B85C9EB54CF25D8912AD77B4FB89B94F144136EE4D8BBA8DF78D840C700

Function 00007FF665C38770 Relevance: 4.8, APIs: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF665C387D6
memcpy_s.LIBCPMT ref: 00007FF665C38801

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
Instruction ID: 835fe12f2fb46709efb430a4d06a112b6469ffdc729603401acc02290e504ed3
Opcode Fuzzy Hash: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
Instruction Fuzzy Hash: A6C19173A1928A87DB24CF19E545A6AB7B1F794B88F448139DB4ACB744DE3DEC01CB40

Function 00007FF665C33340 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C33376

Part of subcall function 00007FF665C2787C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF665C27859), ref: 00007FF665C27885
Part of subcall function 00007FF665C2787C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF665C27859), ref: 00007FF665C278AA

Strings

-, xrefs: 00007FF665C33568

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 4818ce36b43b8457feceb959f8c110170a1097cd530babca61bdf488c472f1ae
Instruction ID: 209f5fac8f6dc014a224acd7b314a42b0b3f9129ec6a17a7fb6c7b5b13a237e2
Opcode Fuzzy Hash: 4818ce36b43b8457feceb959f8c110170a1097cd530babca61bdf488c472f1ae
Instruction Fuzzy Hash: 9191D373A0C789C6E6648B15D541769BAB1FB95F94F444239EA9D8BB98DF3CDC00C700

Function 000001FE8FAF3A24 Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF3A87
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF3A92

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 2c31b7c5487f01d281f7e0ea84f95429dd58f40f530a4d6afe04b2f875753eb5
Instruction ID: 307ed28f31bcb7cc4824cffe0d9938211d30ff519c553a14c363a9da002aecb9
Opcode Fuzzy Hash: 2c31b7c5487f01d281f7e0ea84f95429dd58f40f530a4d6afe04b2f875753eb5
Instruction Fuzzy Hash: BA32B17AB142C68AF764AE65C0507FC37E2F7107E8F9402AACF466B6E5D6398957C300

Function 000000014001A698 Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001A6FB
_invalid_parameter_noinfo.LIBCMT ref: 000000014001A706

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: f8478baa82738ea8875c7523014a93e7ed9e7ab654d5ea21358459ba0bac151e
Instruction ID: e3fd4a5d009771f01900b24a36af7dab53df05fcca50917564f29c106c911974
Opcode Fuzzy Hash: f8478baa82738ea8875c7523014a93e7ed9e7ab654d5ea21358459ba0bac151e
Instruction Fuzzy Hash: E2320376B042408AF7668F66D0407FC37A2B71A7C8F95421AEF466BBE5D63F8946C301

Function 00007FF665C3A9D8 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF665C3AC27
RaiseException.KERNEL32 ref: 00007FF665C3AC38

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: e37cea3d6c78cc31d989566bfc0951e48ead2e3c7dd949fca7103c317dc8dc40
Instruction ID: 6a44ee6e18d3b3cc5cbdcf7f6578c6ad4fefdc5d873523bff21100165490de0e
Opcode Fuzzy Hash: e37cea3d6c78cc31d989566bfc0951e48ead2e3c7dd949fca7103c317dc8dc40
Instruction Fuzzy Hash: 7DB10A77604B89CBEB15CF29C88626877B0F784F58B198925DA5D877A4CF3AD861C700

Function 00007FF665BB0B00 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF665BB0B8D
FindClose.KERNEL32 ref: 00007FF665BB0B9C

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 41e6a5274b1e6dac8f16ab5682416ee48d99485c2ad493626b45c1f81abd2e0c
Instruction ID: 4e96402866aa06ad8acc35f754dc5b2e69a1a5f559d6737b3edbe4cfbebe74bc
Opcode Fuzzy Hash: 41e6a5274b1e6dac8f16ab5682416ee48d99485c2ad493626b45c1f81abd2e0c
Instruction Fuzzy Hash: A4319532608545C2EB209F25D5622796370AF8AFB8F148330E97DCB2E5DE6DDC068700

Function 000001FE8FAE0EF0 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 000001FE8FAE0F64
bind.WS2_32 ref: 000001FE8FAE0F98

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: bindhtons
String ID:
API String ID: 791846173-0
Opcode ID: 9171ba2a606171ecc4786a987eabdf1552a5d8aa28dfa7c78a1eb5a2f926cfbb
Instruction ID: 77a81a6b7303ab394a728ab5bfc3591e5b27bdaf4256d4fe5ec917b38b0f89c1
Opcode Fuzzy Hash: 9171ba2a606171ecc4786a987eabdf1552a5d8aa28dfa7c78a1eb5a2f926cfbb
Instruction Fuzzy Hash: D92149B260468187D7A4AB29E1906E977E0F3487A4F448175EB8983798D778C8E2CF54

Function 0000000140009400 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0000000140009474
bind.WS2_32 ref: 00000001400094A8

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: bindhtons
String ID:
API String ID: 791846173-0
Opcode ID: 6925adac4821d2ed962af63ddee1dd4fd3ce71ae2cc773bd1999aba9ab4df3dd
Instruction ID: bd2a576e2ffe52d7c01e4800f3e05812210ccc8ab2bd70da35787ebc86e8efb7
Opcode Fuzzy Hash: 6925adac4821d2ed962af63ddee1dd4fd3ce71ae2cc773bd1999aba9ab4df3dd
Instruction Fuzzy Hash: C82141F26042508BD7A1DB2AF1807AA73E0F38C794F444126FB89877A8D738C9D1CB04

Function 00007FF665B60B50 Relevance: 3.0, Strings: 2, Instructions: 540COMMON

Download Yara Rule

Strings

Qt: Dead lock detected while activating a BlockingQueuedConnection: Sender is %s(%p), receiver is %s(%p), xrefs: 00007FF665B60E2F
default, xrefs: 00007FF665B60D26, 00007FF665B60DD9, 00007FF665B611E5, 00007FF665B61250

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: Qt: Dead lock detected while activating a BlockingQueuedConnection: Sender is %s(%p), receiver is %s(%p)$default
API String ID: 0-188496423
Opcode ID: a95adbecaaaae865c9a6235cf9876b8f58fef2973d9c2cf80c44910392610114
Instruction ID: 6f75dd72b049ccf8a3d11013bf00973d4b7344a57a5e3be7f0129bd9e0e68d32
Opcode Fuzzy Hash: a95adbecaaaae865c9a6235cf9876b8f58fef2973d9c2cf80c44910392610114
Instruction Fuzzy Hash: 78328F32B09B45C5EB548B66D4666A933B4FB49FA4F184235EE6D8B7D4CF38E851C300

Function 00007FF665B5FE70 Relevance: 3.0, Strings: 2, Instructions: 524COMMON

Download Yara Rule

Strings

QObject: shared QObject was deleted directly. The program is malformed and may crash., xrefs: 00007FF665B5FEE4
default, xrefs: 00007FF665B5FED9

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QObject: shared QObject was deleted directly. The program is malformed and may crash.$default
API String ID: 0-1590212175
Opcode ID: e5aff6f39530e9404b11ef22b592e89cf7a9c916e3d653303b7a8b4dc03af99d
Instruction ID: 769207590c3694ec9b8d641b0ec364b05a8db52e94102177547e9f24a100b619
Opcode Fuzzy Hash: e5aff6f39530e9404b11ef22b592e89cf7a9c916e3d653303b7a8b4dc03af99d
Instruction Fuzzy Hash: 9222AF32609785C2EA648B26D16277963B4FF8AFA0F145635DA6D8BBD4DF3DE840C700

Function 000001FE8FADF650 Relevance: 1.8, Strings: 1, Instructions: 585COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 000001FE8FADFCB5, 000001FE8FADFE1F

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: f7cae8bca4d91966f46de86ca1ffd11b4dd1f0efa15ac6301475bef029487ce5
Instruction ID: 04b37f1ee5d5b6e2fa00dba164212404bca4de2715aec2034e45e33b44e791be
Opcode Fuzzy Hash: f7cae8bca4d91966f46de86ca1ffd11b4dd1f0efa15ac6301475bef029487ce5
Instruction Fuzzy Hash: 8B428B332092C58FC369DF28A4403AE7BE0F355B48F44826ADBC587B56DB78E965CB50

Function 00007FF665B6B240 Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

qt., xrefs: 00007FF665B6B33B

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: qt.
API String ID: 0-1039624776
Opcode ID: 02817b13b5f54e953de6f2b544777969141c6c08e9bdaa88296a4eb03950aaa7
Instruction ID: 502f378a06fe1a3cf75c5a2a9b773a6fdc14ec5604ae99dc0643ad580e09d311
Opcode Fuzzy Hash: 02817b13b5f54e953de6f2b544777969141c6c08e9bdaa88296a4eb03950aaa7
Instruction Fuzzy Hash: 28E17232B08752C6EB648A26C4726BD27B1FB4AF58F588135EA0DCB6D5DE38EC41C700

Function 000001FE8FAD8A2D Relevance: 1.5, APIs: 1, Instructions: 19shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAD56A0: GetCurrentProcess.KERNEL32 ref: 000001FE8FAD56B7
Part of subcall function 000001FE8FAD56A0: OpenProcessToken.ADVAPI32 ref: 000001FE8FAD56CA
Part of subcall function 000001FE8FAD56A0: LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD56F5
Part of subcall function 000001FE8FAD56A0: AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD5718
Part of subcall function 000001FE8FAD56A0: GetLastError.KERNEL32 ref: 000001FE8FAD571E
Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD572D

ExitWindowsEx.USER32 ref: 000001FE8FAD8A3C

Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD5748

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 0177cb3e1cdb11d46ee6c13810d57ab7c6ed36ee73c6af6f37b08cae63a0b0c8
Instruction ID: 43a5d47c7503d2c92d519103a5c7f2be109cfed66f021dbb74924a9329b4d9fd
Opcode Fuzzy Hash: 0177cb3e1cdb11d46ee6c13810d57ab7c6ed36ee73c6af6f37b08cae63a0b0c8
Instruction Fuzzy Hash: 3EE04F763056C186F77AFB21E0663FD7395F788BF4F8801769B0E072968E39C2828600

Function 000001FE8FAD8A4E Relevance: 1.5, APIs: 1, Instructions: 19shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAD56A0: GetCurrentProcess.KERNEL32 ref: 000001FE8FAD56B7
Part of subcall function 000001FE8FAD56A0: OpenProcessToken.ADVAPI32 ref: 000001FE8FAD56CA
Part of subcall function 000001FE8FAD56A0: LookupPrivilegeValueW.ADVAPI32 ref: 000001FE8FAD56F5
Part of subcall function 000001FE8FAD56A0: AdjustTokenPrivileges.ADVAPI32 ref: 000001FE8FAD5718
Part of subcall function 000001FE8FAD56A0: GetLastError.KERNEL32 ref: 000001FE8FAD571E
Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD572D

ExitWindowsEx.USER32 ref: 000001FE8FAD8A5D

Part of subcall function 000001FE8FAD56A0: CloseHandle.KERNEL32 ref: 000001FE8FAD5748

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: e6a5fa4d446211fe06beb4dab869005ee2c12317f8f14c7869f8b8567d4f9dba
Instruction ID: 786f97e5a89c50bbc579656aaf2c26b745f3c62fa642e7f6968b7a70f56d09e3
Opcode Fuzzy Hash: e6a5fa4d446211fe06beb4dab869005ee2c12317f8f14c7869f8b8567d4f9dba
Instruction Fuzzy Hash: 14E04F763056C186F77ABB21E0663FD7395F788BF4F8801769B0E072968E29C2829600

Function 00007FF665B98500 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

WriteOnly device, xrefs: 00007FF665B98507

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: WriteOnly device
API String ID: 0-1802527306
Opcode ID: 4a57033495bddb99051febc7f191ded91fe92d2e0222cebf793c46ac7e716f0a
Instruction ID: b11b813b63f1b7586973d5385ee399a56f7d6438bdf92d7fea1f978b872634fe
Opcode Fuzzy Hash: 4a57033495bddb99051febc7f191ded91fe92d2e0222cebf793c46ac7e716f0a
Instruction Fuzzy Hash: 7E811423B286918AE714CB64C4616BE3A70FF1AF49F441136EF99DB784DE3C9A15CB10

Function 00007FF665C25BE4 Relevance: 1.5, Strings: 1, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF665C25D7D

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: c1934f50d4c005c5c6b6a34040f2f2f02356029904a6b0e8a89a5b866e439fbd
Instruction ID: 2c97d27bd79d0f82f988f59e5c13cee5bc348cf8c7c0d6749f02d2457a49c122
Opcode Fuzzy Hash: c1934f50d4c005c5c6b6a34040f2f2f02356029904a6b0e8a89a5b866e439fbd
Instruction Fuzzy Hash: 2471D223A0D646C6FA648A29D1063BB67B1AB45F44F543139CD8D8F3DEDE6DEC428701

Function 000001FE8FAD62F0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f266c445950e1297430ac87a0a67c37b17f20ecc0e40b636969d92f470b947e8
Instruction ID: e03ef5386dc2b73784a9fa8067c09a23bc456545bbd06d107b076083266cf4b3
Opcode Fuzzy Hash: f266c445950e1297430ac87a0a67c37b17f20ecc0e40b636969d92f470b947e8
Instruction Fuzzy Hash: 6822D577B785504BD71CCB19E892FA977A2F394308709A52CEA17D3F44DA3DEA06CA00

Function 00007FF665B80970 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b618b6dd7e769c3153b16458297dc523fa2e891019ddc6d672f21eeebca888b
Instruction ID: b3716a3be81bdfb20ded9e5a6861c2dfa1e9a5f4f6cf1558bf48a05e391d88a5
Opcode Fuzzy Hash: 8b618b6dd7e769c3153b16458297dc523fa2e891019ddc6d672f21eeebca888b
Instruction Fuzzy Hash: A802C132B05946D6EB20DF38C4622BC73B1EB49B98B549232DA1DDB6A4DF34ED46C740

Function 00007FF665B80050 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f3db23d335aabe829bdd43622417786b09a7f35892de39b79545b5ac86ba9a
Instruction ID: d87c9cec6ed43171ceaf4151425c6c3d2b861ecbdabd99f1ec9d0f49c18771dd
Opcode Fuzzy Hash: e7f3db23d335aabe829bdd43622417786b09a7f35892de39b79545b5ac86ba9a
Instruction Fuzzy Hash: 3FE1B032B0A606DAE754CF68D86227C33B5AB89B94F549135DE4EDB794DE38EC01C740

Function 000001FE8FAF5378 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 5fd8d36055606a6c045ce57bb0d14fafb88e16ee618551501b978fbd4ecde6c2
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 4451D476B152E28BE7589F18E004FAC3AEAF794392F61D139DB129BF50D676CC518B00

Function 000000014001BFE8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 53659f113055ede85aaf2fc74df7715867b2c9a905a4beaaa91a52d4308609d6
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 3551E577B252A18BE75A8F19E404FAC3AA5F398385F51D039EB129BF51D676CC50CB00

Function 00007FF665B761B0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6496731fa74dfd9424f69598ecc8c71401180258f910eac2dd5601b098a0783
Instruction ID: b6231261f87508f980087be44316f69390d273a48387de406f0291dc4d3dffcc
Opcode Fuzzy Hash: f6496731fa74dfd9424f69598ecc8c71401180258f910eac2dd5601b098a0783
Instruction Fuzzy Hash: 4A51E612F182D59FF7218EBD580059C2E31A766648F444569DE88EBF4BCD28EF06C790

Function 00007FF665B633A0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a8174c90d8608e81318d94b2c031deb892454abe5a591ccbc75316d7478f5c
Instruction ID: 91504cfb2a837a5924ecbbe09d393f26f0942865a8f5b6f8844433becf73d7ff
Opcode Fuzzy Hash: f8a8174c90d8608e81318d94b2c031deb892454abe5a591ccbc75316d7478f5c
Instruction Fuzzy Hash: AB519062A08751C2EB659B27D12227A63B0FB4AF98F545135DE4D8B7C8DF38EC45C740

Function 00007FF665C30ACC Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 80371e6dac681631be04dcf261c6f98bc6bea27ba4b5753d1749bcb0e5166604
Instruction ID: b6adf2cc68be882f789b83685ecc154c8dc9cf0b91686b7642cdec32b35ae1f7
Opcode Fuzzy Hash: 80371e6dac681631be04dcf261c6f98bc6bea27ba4b5753d1749bcb0e5166604
Instruction Fuzzy Hash: 1441D323714A59C6EF04CF2AD95616963B1F748FD8B099136DE4DDBB98DE3CC8428304

Function 000001FE8FAF8270 Relevance: .0, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c379b1aee352c79a0ecec65525e13c06bad3dfb5bf851640375506568d2c6066
Instruction ID: 008f911d6e85a0066a467c6db5cc88417307e8bd1875597a30b809246c7ccae8
Opcode Fuzzy Hash: c379b1aee352c79a0ecec65525e13c06bad3dfb5bf851640375506568d2c6066
Instruction Fuzzy Hash: 7FE048D7E9EFC16DD662A5500C7AA5C2FC1D772B5471C019B8B50462D3F5551D154201

Function 000001FE8FAF80B8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5331c69769e61ad5f7723b224dcbb812143a96d3905af38dd95695f4b8350872
Instruction ID: a5099a329219d0f12b45f1d1b85b9f0dc90f8824d82dfa83072b5f260145182d
Opcode Fuzzy Hash: 5331c69769e61ad5f7723b224dcbb812143a96d3905af38dd95695f4b8350872
Instruction Fuzzy Hash:

Function 000001FE8FAF1280 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000001FE8FAF1295

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

free.LIBCMT ref: 000001FE8FAF129E
free.LIBCMT ref: 000001FE8FAF12A7
free.LIBCMT ref: 000001FE8FAF12B0
free.LIBCMT ref: 000001FE8FAF12B9
free.LIBCMT ref: 000001FE8FAF12C2
free.LIBCMT ref: 000001FE8FAF12CA
free.LIBCMT ref: 000001FE8FAF12D3
free.LIBCMT ref: 000001FE8FAF12DC
free.LIBCMT ref: 000001FE8FAF12E5
free.LIBCMT ref: 000001FE8FAF12EE
free.LIBCMT ref: 000001FE8FAF12F7
free.LIBCMT ref: 000001FE8FAF1300
free.LIBCMT ref: 000001FE8FAF1309
free.LIBCMT ref: 000001FE8FAF1312
free.LIBCMT ref: 000001FE8FAF131B
free.LIBCMT ref: 000001FE8FAF1327
free.LIBCMT ref: 000001FE8FAF1333
free.LIBCMT ref: 000001FE8FAF133F
free.LIBCMT ref: 000001FE8FAF134B
free.LIBCMT ref: 000001FE8FAF1357
free.LIBCMT ref: 000001FE8FAF1363
free.LIBCMT ref: 000001FE8FAF136F
free.LIBCMT ref: 000001FE8FAF137B
free.LIBCMT ref: 000001FE8FAF1387
free.LIBCMT ref: 000001FE8FAF1393
free.LIBCMT ref: 000001FE8FAF139F
free.LIBCMT ref: 000001FE8FAF13AB
free.LIBCMT ref: 000001FE8FAF13B7
free.LIBCMT ref: 000001FE8FAF13C3
free.LIBCMT ref: 000001FE8FAF13CF
free.LIBCMT ref: 000001FE8FAF13DB
free.LIBCMT ref: 000001FE8FAF13E7
free.LIBCMT ref: 000001FE8FAF13F3
free.LIBCMT ref: 000001FE8FAF13FF
free.LIBCMT ref: 000001FE8FAF140B
free.LIBCMT ref: 000001FE8FAF1417
free.LIBCMT ref: 000001FE8FAF1423
free.LIBCMT ref: 000001FE8FAF142F
free.LIBCMT ref: 000001FE8FAF143B
free.LIBCMT ref: 000001FE8FAF1447
free.LIBCMT ref: 000001FE8FAF1453
free.LIBCMT ref: 000001FE8FAF145F
free.LIBCMT ref: 000001FE8FAF146B
free.LIBCMT ref: 000001FE8FAF1477
free.LIBCMT ref: 000001FE8FAF1483
free.LIBCMT ref: 000001FE8FAF148F
free.LIBCMT ref: 000001FE8FAF149B
free.LIBCMT ref: 000001FE8FAF14A7
free.LIBCMT ref: 000001FE8FAF14B3
free.LIBCMT ref: 000001FE8FAF14BF
free.LIBCMT ref: 000001FE8FAF14CB
free.LIBCMT ref: 000001FE8FAF14D7
free.LIBCMT ref: 000001FE8FAF14E3
free.LIBCMT ref: 000001FE8FAF14EF
free.LIBCMT ref: 000001FE8FAF14FB
free.LIBCMT ref: 000001FE8FAF1507
free.LIBCMT ref: 000001FE8FAF1513
free.LIBCMT ref: 000001FE8FAF151F
free.LIBCMT ref: 000001FE8FAF152B
free.LIBCMT ref: 000001FE8FAF1537
free.LIBCMT ref: 000001FE8FAF1543
free.LIBCMT ref: 000001FE8FAF154F
free.LIBCMT ref: 000001FE8FAF155B
free.LIBCMT ref: 000001FE8FAF1567
free.LIBCMT ref: 000001FE8FAF1573
free.LIBCMT ref: 000001FE8FAF157F
free.LIBCMT ref: 000001FE8FAF158B
free.LIBCMT ref: 000001FE8FAF1597
free.LIBCMT ref: 000001FE8FAF15A3
free.LIBCMT ref: 000001FE8FAF15AF
free.LIBCMT ref: 000001FE8FAF15BB
free.LIBCMT ref: 000001FE8FAF15C7
free.LIBCMT ref: 000001FE8FAF15D3
free.LIBCMT ref: 000001FE8FAF15DF
free.LIBCMT ref: 000001FE8FAF15EB
free.LIBCMT ref: 000001FE8FAF15F7
free.LIBCMT ref: 000001FE8FAF1603
free.LIBCMT ref: 000001FE8FAF160F
free.LIBCMT ref: 000001FE8FAF161B
free.LIBCMT ref: 000001FE8FAF1627
free.LIBCMT ref: 000001FE8FAF1633
free.LIBCMT ref: 000001FE8FAF163F
free.LIBCMT ref: 000001FE8FAF164B
free.LIBCMT ref: 000001FE8FAF1657
free.LIBCMT ref: 000001FE8FAF1663

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction ID: dfe8f773b79a5bb752064c1f9af855695ac55012aecb910060fcd3995ce796ee
Opcode Fuzzy Hash: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction Fuzzy Hash: 7AA1653662298289EA41BB31C8B53FC1378ABC6FD4F8545729F4D6B1B7CE94C8568350

Function 00000001400190C8 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400190DD

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

free.LIBCMT ref: 00000001400190E6
free.LIBCMT ref: 00000001400190EF
free.LIBCMT ref: 00000001400190F8
free.LIBCMT ref: 0000000140019101
free.LIBCMT ref: 000000014001910A
free.LIBCMT ref: 0000000140019112
free.LIBCMT ref: 000000014001911B
free.LIBCMT ref: 0000000140019124
free.LIBCMT ref: 000000014001912D
free.LIBCMT ref: 0000000140019136
free.LIBCMT ref: 000000014001913F
free.LIBCMT ref: 0000000140019148
free.LIBCMT ref: 0000000140019151
free.LIBCMT ref: 000000014001915A
free.LIBCMT ref: 0000000140019163
free.LIBCMT ref: 000000014001916F
free.LIBCMT ref: 000000014001917B
free.LIBCMT ref: 0000000140019187
free.LIBCMT ref: 0000000140019193
free.LIBCMT ref: 000000014001919F
free.LIBCMT ref: 00000001400191AB
free.LIBCMT ref: 00000001400191B7
free.LIBCMT ref: 00000001400191C3
free.LIBCMT ref: 00000001400191CF
free.LIBCMT ref: 00000001400191DB
free.LIBCMT ref: 00000001400191E7
free.LIBCMT ref: 00000001400191F3
free.LIBCMT ref: 00000001400191FF
free.LIBCMT ref: 000000014001920B
free.LIBCMT ref: 0000000140019217
free.LIBCMT ref: 0000000140019223
free.LIBCMT ref: 000000014001922F
free.LIBCMT ref: 000000014001923B
free.LIBCMT ref: 0000000140019247
free.LIBCMT ref: 0000000140019253
free.LIBCMT ref: 000000014001925F
free.LIBCMT ref: 000000014001926B
free.LIBCMT ref: 0000000140019277
free.LIBCMT ref: 0000000140019283
free.LIBCMT ref: 000000014001928F
free.LIBCMT ref: 000000014001929B
free.LIBCMT ref: 00000001400192A7
free.LIBCMT ref: 00000001400192B3
free.LIBCMT ref: 00000001400192BF
free.LIBCMT ref: 00000001400192CB
free.LIBCMT ref: 00000001400192D7
free.LIBCMT ref: 00000001400192E3
free.LIBCMT ref: 00000001400192EF
free.LIBCMT ref: 00000001400192FB
free.LIBCMT ref: 0000000140019307
free.LIBCMT ref: 0000000140019313
free.LIBCMT ref: 000000014001931F
free.LIBCMT ref: 000000014001932B
free.LIBCMT ref: 0000000140019337
free.LIBCMT ref: 0000000140019343
free.LIBCMT ref: 000000014001934F
free.LIBCMT ref: 000000014001935B
free.LIBCMT ref: 0000000140019367
free.LIBCMT ref: 0000000140019373
free.LIBCMT ref: 000000014001937F
free.LIBCMT ref: 000000014001938B
free.LIBCMT ref: 0000000140019397
free.LIBCMT ref: 00000001400193A3
free.LIBCMT ref: 00000001400193AF
free.LIBCMT ref: 00000001400193BB
free.LIBCMT ref: 00000001400193C7
free.LIBCMT ref: 00000001400193D3
free.LIBCMT ref: 00000001400193DF
free.LIBCMT ref: 00000001400193EB
free.LIBCMT ref: 00000001400193F7
free.LIBCMT ref: 0000000140019403
free.LIBCMT ref: 000000014001940F
free.LIBCMT ref: 000000014001941B
free.LIBCMT ref: 0000000140019427
free.LIBCMT ref: 0000000140019433
free.LIBCMT ref: 000000014001943F
free.LIBCMT ref: 000000014001944B
free.LIBCMT ref: 0000000140019457
free.LIBCMT ref: 0000000140019463
free.LIBCMT ref: 000000014001946F
free.LIBCMT ref: 000000014001947B
free.LIBCMT ref: 0000000140019487
free.LIBCMT ref: 0000000140019493
free.LIBCMT ref: 000000014001949F
free.LIBCMT ref: 00000001400194AB

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 31d0535efea13f5530bd949da869d2d280bb43d073b1e494398dd8a19ee2e131
Instruction ID: abdc688e6b85bc31969d051ac78723e128bf216b56061f565fb57f4e7d3f478c
Opcode Fuzzy Hash: 31d0535efea13f5530bd949da869d2d280bb43d073b1e494398dd8a19ee2e131
Instruction Fuzzy Hash: E6A153726A254885EA47EB32DC957FC1721AF8AB84F844133BB4E6B5F7CE31C8459390

Function 00007FF665BB2530 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 166libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF665BB25D0
GetProcAddress.KERNEL32 ref: 00007FF665BB25E7
GetProcAddress.KERNEL32 ref: 00007FF665BB25FE
GetProcAddress.KERNEL32 ref: 00007FF665BB2615
GetCurrentProcess.KERNEL32 ref: 00007FF665BB2630
OpenProcessToken.ADVAPI32 ref: 00007FF665BB265C
GetTokenInformation.ADVAPI32 ref: 00007FF665BB2688
GetTokenInformation.ADVAPI32 ref: 00007FF665BB26BC
GetLengthSid.ADVAPI32 ref: 00007FF665BB26CC
CopySid.ADVAPI32 ref: 00007FF665BB26EA
CloseHandle.KERNEL32 ref: 00007FF665BB2715
GetProcAddress.KERNEL32 ref: 00007FF665BB2725
GetProcAddress.KERNEL32 ref: 00007FF665BB27AA
LoadLibraryW.KERNEL32 ref: 00007FF665BB27BE
GetProcAddress.KERNEL32 ref: 00007FF665BB27D3

Strings

userenv, xrefs: 00007FF665BB278F
BuildTrusteeWithSidW, xrefs: 00007FF665BB25F4
GetUserProfileDirectoryW, xrefs: 00007FF665BB27A0
GetEffectiveRightsFromAclW, xrefs: 00007FF665BB260B
advapi32, xrefs: 00007FF665BB25B2
LookupAccountSidW, xrefs: 00007FF665BB25DD
GetVolumePathNamesForVolumeNameW, xrefs: 00007FF665BB27C9
AllocateAndInitializeSid, xrefs: 00007FF665BB271B
GetNamedSecurityInfoW, xrefs: 00007FF665BB25C6
kernel32, xrefs: 00007FF665BB27B7

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Token$InformationProcess$CloseCopyCurrentHandleLengthLibraryLoadOpen
String ID: AllocateAndInitializeSid$BuildTrusteeWithSidW$GetEffectiveRightsFromAclW$GetNamedSecurityInfoW$GetUserProfileDirectoryW$GetVolumePathNamesForVolumeNameW$LookupAccountSidW$advapi32$kernel32$userenv
API String ID: 2696503892-3103641746
Opcode ID: 119ff1c74d3851af8e6b534a9a4d689b4cea124b3013ada68ca1587a54ffe470
Instruction ID: ff5768279154ea382b115022f2c336069dcf97b1833d267b4fd162a19aaa2383
Opcode Fuzzy Hash: 119ff1c74d3851af8e6b534a9a4d689b4cea124b3013ada68ca1587a54ffe470
Instruction Fuzzy Hash: 7E811A31A09B82C5FA11DB21E8A666967B4FF89F90F441239D95E8B7A4DF3CEC44C704

Function 000001FE8FAF091C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000001FE8FAF0961
GetProcAddress.KERNEL32 ref: 000001FE8FAF097D
EncodePointer.KERNEL32 ref: 000001FE8FAF098F
GetProcAddress.KERNEL32 ref: 000001FE8FAF09A6
EncodePointer.KERNEL32 ref: 000001FE8FAF09AF
GetProcAddress.KERNEL32 ref: 000001FE8FAF09C6
EncodePointer.KERNEL32 ref: 000001FE8FAF09CF
GetProcAddress.KERNEL32 ref: 000001FE8FAF09E6
EncodePointer.KERNEL32 ref: 000001FE8FAF09EF
GetProcAddress.KERNEL32 ref: 000001FE8FAF0A0E
EncodePointer.KERNEL32 ref: 000001FE8FAF0A17
DecodePointer.KERNEL32 ref: 000001FE8FAF0A4A
DecodePointer.KERNEL32 ref: 000001FE8FAF0A5A
DecodePointer.KERNEL32 ref: 000001FE8FAF0AB0
DecodePointer.KERNEL32 ref: 000001FE8FAF0AD1
DecodePointer.KERNEL32 ref: 000001FE8FAF0AEB

Strings

GetProcessWindowStation, xrefs: 000001FE8FAF0A04
GetLastActivePopup, xrefs: 000001FE8FAF09B5
GetActiveWindow, xrefs: 000001FE8FAF0995
MessageBoxW, xrefs: 000001FE8FAF0973
USER32.DLL, xrefs: 000001FE8FAF095A
GetUserObjectInformationW, xrefs: 000001FE8FAF09D5

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 7acbe540bc04eb17a634a09565014fbe7794e89a6f31f33c4fabbf1735c0f02e
Instruction ID: 1290eccac37f9938142aab2d46ae785a4bd589c8bf15a7222c6c51feb2ad307f
Opcode Fuzzy Hash: 7acbe540bc04eb17a634a09565014fbe7794e89a6f31f33c4fabbf1735c0f02e
Instruction Fuzzy Hash: 2A51FB31212B8781FE55FB52B8547B967E4EB89BE0F5486B59E0A4B7B0EE3CC447C600

Function 00000001400172AC Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 00000001400172F1
GetProcAddress.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001730D
EncodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001731F
GetProcAddress.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 0000000140017336
EncodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001733F
GetProcAddress.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 0000000140017356
EncodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001735F
GetProcAddress.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 0000000140017376
EncodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001737F
GetProcAddress.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001739E
EncodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 00000001400173A7
DecodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 00000001400173DA
DecodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 00000001400173EA
DecodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 0000000140017440
DecodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 0000000140017461
DecodePointer.KERNEL32(?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014001747B

Strings

MessageBoxW, xrefs: 0000000140017303
GetUserObjectInformationW, xrefs: 0000000140017365
GetLastActivePopup, xrefs: 0000000140017345
USER32.DLL, xrefs: 00000001400172EA
GetProcessWindowStation, xrefs: 0000000140017394
GetActiveWindow, xrefs: 0000000140017325

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 133abd0a10ee1375612e9f9bcf34c38de31264588499f97252e3e7a14f67fc1d
Instruction ID: 7778e1b12d3fde63df6d1acb63cd759431b914f86ae814ee691b8e64ef29754c
Opcode Fuzzy Hash: 133abd0a10ee1375612e9f9bcf34c38de31264588499f97252e3e7a14f67fc1d
Instruction Fuzzy Hash: 5151F434206B1582FE57DB57B854BE427A0AB8DBD0F440529EF4E4B7B1EF3A8945D210

Function 000001FE8FAD9460 Relevance: 33.2, APIs: 22, Instructions: 191memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 000001FE8FAD94AA
GlobalLock.KERNEL32 ref: 000001FE8FAD94B6
GlobalUnlock.KERNEL32 ref: 000001FE8FAD94CD
CreateStreamOnHGlobal.OLE32 ref: 000001FE8FAD94E2
EnterCriticalSection.KERNEL32 ref: 000001FE8FAD952B
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAD953E
GdipCreateBitmapFromStream.GDIPLUS ref: 000001FE8FAD956E
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD9585
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD95A3
CreateStreamOnHGlobal.OLE32 ref: 000001FE8FAD95C2
GetHGlobalFromStream.OLE32 ref: 000001FE8FAD95ED
GlobalLock.KERNEL32 ref: 000001FE8FAD95F8
GlobalFree.KERNEL32 ref: 000001FE8FAD9613
DeleteObject.GDI32 ref: 000001FE8FAD96EB
EnterCriticalSection.KERNEL32 ref: 000001FE8FAD96F8
EnterCriticalSection.KERNEL32 ref: 000001FE8FAD970D
GdiplusShutdown.GDIPLUS ref: 000001FE8FAD971F
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAD9733
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAD9740
GlobalFree.KERNEL32 ref: 000001FE8FAD9749

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$DisposeFreeFromImageLock$AllocBitmapDeleteGdiplusObjectShutdownUnlock
String ID:
API String ID: 562715702-0
Opcode ID: cdc0204bc30cf34552371714a5366ee355cd303610cee03585cb9d2d35280443
Instruction ID: c2154d35f4134fb8e037c1cae97452af71583c2373b1a65dbe812c1534734979
Opcode Fuzzy Hash: cdc0204bc30cf34552371714a5366ee355cd303610cee03585cb9d2d35280443
Instruction Fuzzy Hash: 6B911B32714B8286EB21FF61E8546ED23F1F788BE8F500665CE595BAB4DF38C54A8740

Function 000000014001C204 Relevance: 32.0, APIs: 21, Instructions: 482COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014001C235
_errno.LIBCMT ref: 000000014001C23E
__doserrno.LIBCMT ref: 000000014001C298
_errno.LIBCMT ref: 000000014001C29F
_invalid_parameter_noinfo.LIBCMT ref: 000000014001C90E

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 4f621cab06cbba3612be9da7efe74c55c63dd12ab4e59da345fd03b90ec2a3b2
Instruction ID: d49c74b36467b3b77bad471cceb2aef24b31a01a7c48d520ee55f93b79db8357
Opcode Fuzzy Hash: 4f621cab06cbba3612be9da7efe74c55c63dd12ab4e59da345fd03b90ec2a3b2
Instruction Fuzzy Hash: 3622F57262468186F7239B67D4807EC2BA1F74DBD8F688116EB5A0B7F1DB76C841D302

Function 000001FE8FAF5594 Relevance: 32.0, APIs: 21, Instructions: 481COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAF55C5
_errno.LIBCMT ref: 000001FE8FAF55CE
__doserrno.LIBCMT ref: 000001FE8FAF5628
_errno.LIBCMT ref: 000001FE8FAF562F
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF5C9E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 54416721b11f383574e6eb75bbea4055506d4160d704af51a6d319baa15b6c74
Instruction ID: ca9463dbd5c05d3513c75cba2a7c3e4f8b13dabb3677383c0b15b17640ae6442
Opcode Fuzzy Hash: 54416721b11f383574e6eb75bbea4055506d4160d704af51a6d319baa15b6c74
Instruction Fuzzy Hash: D622DF326246C68AE762BB64D4803FC2BE1E751BF8F5883A6CB560B6F1D676C443D301

Function 000001FE8FAEBB98 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE5850: RtlLookupFunctionEntry.KERNEL32 ref: 000001FE8FAE58C4

__GetUnwindTryBlock.LIBCMT ref: 000001FE8FAEBBFC
__SetUnwindTryBlock.LIBCMT ref: 000001FE8FAEBC23

Part of subcall function 000001FE8FAE568C: RaiseException.KERNEL32 ref: 000001FE8FAE5707

__GetUnwindTryBlock.LIBCMT ref: 000001FE8FAEBC2D
_getptd.LIBCMT ref: 000001FE8FAEBC83
_getptd.LIBCMT ref: 000001FE8FAEBC96
_getptd.LIBCMT ref: 000001FE8FAEBCA2
_SetThrowImageBase.LIBCMT ref: 000001FE8FAEBCB6
_getptd.LIBCMT ref: 000001FE8FAEBD06
_getptd.LIBCMT ref: 000001FE8FAEBD19
_getptd.LIBCMT ref: 000001FE8FAEBD25
type_info::operator==.LIBCMT ref: 000001FE8FAEBD8C
std::exception::exception.LIBCMT ref: 000001FE8FAEBDC5
_getptd.LIBCMT ref: 000001FE8FAEBFF8
std::exception::exception.LIBCMT ref: 000001FE8FAEC071

Strings

csm, xrefs: 000001FE8FAEBC43
csm, xrefs: 000001FE8FAEBDEA
bad exception, xrefs: 000001FE8FAEBDB2
csm, xrefs: 000001FE8FAEBCD1

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: ee4cf200c058bec5ed6b23d82509feab73e8c37503a7504ed1a0638e07e7d0de
Instruction ID: 9bd28906d95404d446325837baea6df44b7ac1bd24029d7c24abdf8acb0f7d04
Opcode Fuzzy Hash: ee4cf200c058bec5ed6b23d82509feab73e8c37503a7504ed1a0638e07e7d0de
Instruction Fuzzy Hash: CFE18A32600A828AEB64BF6590A83FD37E0F758BE8F4441B5EF4947BA6DB34C456C750

Function 00000001400129C8 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000CF40: RtlLookupFunctionEntry.KERNEL32 ref: 000000014000CFB4

__GetUnwindTryBlock.LIBCMT ref: 0000000140012A2C
__SetUnwindTryBlock.LIBCMT ref: 0000000140012A53

Part of subcall function 000000014000CBB8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,000000014000C406), ref: 000000014000CC33

__GetUnwindTryBlock.LIBCMT ref: 0000000140012A5D
_getptd.LIBCMT ref: 0000000140012AB3
_getptd.LIBCMT ref: 0000000140012AC6
_getptd.LIBCMT ref: 0000000140012AD2
_SetThrowImageBase.LIBCMT ref: 0000000140012AE6
_getptd.LIBCMT ref: 0000000140012B36
_getptd.LIBCMT ref: 0000000140012B49
_getptd.LIBCMT ref: 0000000140012B55
type_info::operator==.LIBCMT ref: 0000000140012BBC
std::exception::exception.LIBCMT ref: 0000000140012BF5
_getptd.LIBCMT ref: 0000000140012E28
std::exception::exception.LIBCMT ref: 0000000140012EA1

Strings

csm, xrefs: 0000000140012B01
csm, xrefs: 0000000140012C1A
bad exception, xrefs: 0000000140012BE2
csm, xrefs: 0000000140012A73

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: bdae71a96226850f4cec86a3f0769fa3fb0752ab22783a132606b62290854c44
Instruction ID: 9b63747dd7160c9bab65c0d73adb3ec38049c598a4e35238ed204f797c5a215c
Opcode Fuzzy Hash: bdae71a96226850f4cec86a3f0769fa3fb0752ab22783a132606b62290854c44
Instruction Fuzzy Hash: C3E19A726046408AEB26DF67A1843EE37A0F74CBC8F444526FF4A1BBA6CB36C465C355

Function 000001FE8FAD4570 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000001FE8FAD45A9

Part of subcall function 000001FE8FAD4390: GetCurrentProcessId.KERNEL32 ref: 000001FE8FAD43AD
Part of subcall function 000001FE8FAD4390: OpenProcess.KERNEL32 ref: 000001FE8FAD43BD
Part of subcall function 000001FE8FAD4390: OpenProcessToken.ADVAPI32 ref: 000001FE8FAD43E5
Part of subcall function 000001FE8FAD4390: CloseHandle.KERNEL32 ref: 000001FE8FAD43F2

GetVersionExW.KERNEL32 ref: 000001FE8FAD45DB
GetCurrentProcess.KERNEL32 ref: 000001FE8FAD4604
OpenProcessToken.ADVAPI32 ref: 000001FE8FAD4615
GetTokenInformation.ADVAPI32 ref: 000001FE8FAD463F
GetLastError.KERNEL32 ref: 000001FE8FAD4649
LocalAlloc.KERNEL32 ref: 000001FE8FAD4663
GetTokenInformation.ADVAPI32 ref: 000001FE8FAD468B
GetSidSubAuthorityCount.ADVAPI32 ref: 000001FE8FAD4698
GetSidSubAuthority.ADVAPI32 ref: 000001FE8FAD46A6
LocalFree.KERNEL32 ref: 000001FE8FAD46B1
CloseHandle.KERNEL32 ref: 000001FE8FAD46C4
wsprintfW.USER32 ref: 000001FE8FAD4722

Strings

%d/None/%s, xrefs: 000001FE8FAD4712
%d/, xrefs: 000001FE8FAD4709
%d/, xrefs: 000001FE8FAD46EE
%d/, xrefs: 000001FE8FAD46F7
%d/, xrefs: 000001FE8FAD4700

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocal$AllocCountErrorFreeLastVersionwsprintf
String ID: %d/$%d/$%d/$%d/$%d/None/%s
API String ID: 407931619-3175268128
Opcode ID: 66a97c90580ce347094714e55ca43378ea6e37b53cdfd1314d87ae6dfdcbb0e2
Instruction ID: 086254b0c1e089c5a20ad905575bb101010e5f43e0107a10b123c86e4888807c
Opcode Fuzzy Hash: 66a97c90580ce347094714e55ca43378ea6e37b53cdfd1314d87ae6dfdcbb0e2
Instruction Fuzzy Hash: 4F513831214AC2C6EBA1BB11E894BE963F0F785BE4F541275EB8A476A4DF38C556CB00

Function 000001FE8FAD7A50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 000001FE8FAD7A8E
malloc.LIBCMT ref: 000001FE8FAD7AFA
free.LIBCMT ref: 000001FE8FAD7B26
GdipGetImageEncoders.GDIPLUS ref: 000001FE8FAD7B3F
free.LIBCMT ref: 000001FE8FAD7B56
free.LIBCMT ref: 000001FE8FAD7C2B
GdipCreateBitmapFromScan0.GDIPLUS ref: 000001FE8FAD7C72
GdipSaveImageToStream.GDIPLUS ref: 000001FE8FAD7C89
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD7C96
free.LIBCMT ref: 000001FE8FAD7CAB
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 000001FE8FAD7CC5
GdipSaveImageToStream.GDIPLUS ref: 000001FE8FAD7CDC
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD7CE9
free.LIBCMT ref: 000001FE8FAD7D06
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD7D15
free.LIBCMT ref: 000001FE8FAD7D26

Strings

&, xrefs: 000001FE8FAD7C5D

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$Image$free$Dispose$BitmapCreateEncodersFromSaveStream$Scan0Sizemalloc
String ID: &
API String ID: 1890951399-3042966939
Opcode ID: 60ad61b9c2a00a2fb8edbd6bf83d103515c805d4293a766110f50120b13cc51f
Instruction ID: a07ea13d71bcbe9dd710da4819328bf106fade1a4279fb35c91cbec6e58edc4b
Opcode Fuzzy Hash: 60ad61b9c2a00a2fb8edbd6bf83d103515c805d4293a766110f50120b13cc51f
Instruction Fuzzy Hash: 1C914C32311AC285EF2ABF21D410BF923E5E754BF8F5847B19F1A0B6E4DE28C9468340

Function 000001FE8FAD7630 Relevance: 27.3, APIs: 18, Instructions: 283windowCOMMON

Download Yara Rule

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 000001FE8FAD766F
GdipGetImageHeight.GDIPLUS ref: 000001FE8FAD76D8
GdipGetImageWidth.GDIPLUS ref: 000001FE8FAD76F6
GdipGetImagePaletteSize.GDIPLUS ref: 000001FE8FAD773C
malloc.LIBCMT ref: 000001FE8FAD77A2

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

free.LIBCMT ref: 000001FE8FAD77CB
GdipGetImagePalette.GDIPLUS ref: 000001FE8FAD77EA
GdipBitmapLockBits.GDIPLUS ref: 000001FE8FAD78A7
free.LIBCMT ref: 000001FE8FAD78C6
GdipCreateBitmapFromScan0.GDIPLUS ref: 000001FE8FAD79BF
GdipGetImageGraphicsContext.GDIPLUS ref: 000001FE8FAD79D4
GdipDrawImageI.GDIPLUS ref: 000001FE8FAD79EC
GdipDeleteGraphics.GDIPLUS ref: 000001FE8FAD79F5
GdipDisposeImage.GDIPLUS ref: 000001FE8FAD79FE
free.LIBCMT ref: 000001FE8FAD78E6

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

memcpy_s.LIBCMT ref: 000001FE8FAD792C
GdipBitmapUnlockBits.GDIPLUS ref: 000001FE8FAD7968
free.LIBCMT ref: 000001FE8FAD7A16

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$Image$free$Bitmap_errno$BitsGraphicsHeapPalette$AllocContextCreateDeleteDisposeDrawFormatFreeFromHeightLockPixelScan0SizeUnlockWidth_callnewhmallocmemcpy_s
String ID:
API String ID: 3799618542-0
Opcode ID: e8420e5db0a413dcbbb5ff5e2a4ca2867ef6350a45bdd43dbb9f23277287debd
Instruction ID: b42b5e720108db3ebe85cc702d3c260d8c14de4c742207b6e688aec365453c11
Opcode Fuzzy Hash: e8420e5db0a413dcbbb5ff5e2a4ca2867ef6350a45bdd43dbb9f23277287debd
Instruction Fuzzy Hash: 4EC1AA762006C28AEB2ABF25D444BE93BE4F744BE8F4546A5DF094BBA5DB38C542C740

Function 000001FE8FAD3550 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000001FE8FAD3572

Strings

Port, xrefs: 000001FE8FAD3642
Process, xrefs: 000001FE8FAD373E
CurrPorts, xrefs: 000001FE8FAD362A
TaskExplorer, xrefs: 000001FE8FAD3612
Capsa, xrefs: 000001FE8FAD3702, 000001FE8FAD372A
ApateDNS, xrefs: 000001FE8FAD35CA
Wireshark, xrefs: 000001FE8FAD3672
Metascan, xrefs: 000001FE8FAD365A
Sniff, xrefs: 000001FE8FAD3716
Fiddler, xrefs: 000001FE8FAD36D2
TCPEye, xrefs: 000001FE8FAD35FA
Malwarebytes, xrefs: 000001FE8FAD35E2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 32ff9c33e7c21981f1e92648b8f3a94a06c835b35deeed59398db8ea4e336351
Instruction ID: 2cc244b393d159f878117fc65042957c5293751b106ab6aa3f1da4fcd9b67c76
Opcode Fuzzy Hash: 32ff9c33e7c21981f1e92648b8f3a94a06c835b35deeed59398db8ea4e336351
Instruction Fuzzy Hash: A151417C751BC340FD85FB12A4203F423E99B45BF4F4865B89F0A4A3B9FAA8D9568300

Function 000001FE8FADAD70 Relevance: 24.3, APIs: 16, Instructions: 279COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000001FE8FADAD92
SetLastError.KERNEL32 ref: 000001FE8FADADB5

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a5f0163f4acb8b974cacfdb07cbf087a1492aeecdc8c13315bce12a0094e587a
Instruction ID: 0116af1a5038f0e07c892bca68370251e0bd2adb0d65ca3ed4a2dc04c868409e
Opcode Fuzzy Hash: a5f0163f4acb8b974cacfdb07cbf087a1492aeecdc8c13315bce12a0094e587a
Instruction Fuzzy Hash: 78B19D32301A828AEB62FB15D9507B923E5FB48BE4F444675DF4A47BA1EF38D456C300

Function 000001FE8FAE32E0 Relevance: 19.6, APIs: 13, Instructions: 121networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000001FE8FAE333F
WSASetLastError.WS2_32 ref: 000001FE8FAE3352
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE335C
WSASetLastError.WS2_32 ref: 000001FE8FAE33A7
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE33B1
WSASetLastError.WS2_32 ref: 000001FE8FAE3479

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: 21337f2ffdf3b93cbb6cca8b1675b67f4d5956b45ff553cf537671f279ca96a2
Instruction ID: 6a594ef86344e18ac4ca3fa30d4c78f8a758cc582ef67b9f8d403e52597f5b80
Opcode Fuzzy Hash: 21337f2ffdf3b93cbb6cca8b1675b67f4d5956b45ff553cf537671f279ca96a2
Instruction Fuzzy Hash: 51513F36204F8286EB71AB15A4107BDB7E0F785BB1F144274CB9A877B1DF78D44A8700

Function 000000014000B7F0 Relevance: 19.6, APIs: 13, Instructions: 121networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000B84F
WSASetLastError.WS2_32 ref: 000000014000B862
LeaveCriticalSection.KERNEL32 ref: 000000014000B86C
WSASetLastError.WS2_32 ref: 000000014000B8B7
LeaveCriticalSection.KERNEL32 ref: 000000014000B8C1
WSASetLastError.WS2_32 ref: 000000014000B989

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: 1c300547cf81033922c0f2f8a93969f9d7edcc1f4596588974520377087e211c
Instruction ID: 7ad27bf34863c6bf8fe744d9ce82e7e9009ef55e81a34259adc1220e4f2661f0
Opcode Fuzzy Hash: 1c300547cf81033922c0f2f8a93969f9d7edcc1f4596588974520377087e211c
Instruction Fuzzy Hash: 8A51F776204A408AE772DB27B4443AAB7A1F78DBE0F145125EB9A477B0DF79D885C700

Function 000001FE8FAE9FD8 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 000001FE8FAEA030

Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF16FA
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF170C
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF171E
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF1730
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF1742
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF1754
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF1766
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF1778
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF178A
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF179C
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF17B1
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF17C6
Part of subcall function 000001FE8FAF16DC: free.LIBCMT ref: 000001FE8FAF17DB

free.LIBCMT ref: 000001FE8FAEA024

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

free.LIBCMT ref: 000001FE8FAEA046
__free_lconv_num.LIBCMT ref: 000001FE8FAEA052
free.LIBCMT ref: 000001FE8FAEA05E
free.LIBCMT ref: 000001FE8FAEA06A
free.LIBCMT ref: 000001FE8FAEA08E
free.LIBCMT ref: 000001FE8FAEA0A2
free.LIBCMT ref: 000001FE8FAEA0B1
free.LIBCMT ref: 000001FE8FAEA0BD
free.LIBCMT ref: 000001FE8FAEA0EA
free.LIBCMT ref: 000001FE8FAEA112
free.LIBCMT ref: 000001FE8FAEA12C

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: cb00de6662f5520fdc5f3791fe64273e5581ddefffeafd99a740971fc32c6413
Instruction ID: b86f636edf46d08687b04d80d7f8a26ff18dd14a258ec429ef556dc8d04e9f86
Opcode Fuzzy Hash: cb00de6662f5520fdc5f3791fe64273e5581ddefffeafd99a740971fc32c6413
Instruction Fuzzy Hash: B441F936612EC688EF65BF21C4613FC23E4EB84FE4F4844759B4D4A6A6DF6888928310

Function 0000000140015CC4 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 0000000140015D1C

Part of subcall function 0000000140019524: free.LIBCMT ref: 0000000140019542
Part of subcall function 0000000140019524: free.LIBCMT ref: 0000000140019554
Part of subcall function 0000000140019524: free.LIBCMT ref: 0000000140019566
Part of subcall function 0000000140019524: free.LIBCMT ref: 0000000140019578
Part of subcall function 0000000140019524: free.LIBCMT ref: 000000014001958A
Part of subcall function 0000000140019524: free.LIBCMT ref: 000000014001959C
Part of subcall function 0000000140019524: free.LIBCMT ref: 00000001400195AE
Part of subcall function 0000000140019524: free.LIBCMT ref: 00000001400195C0
Part of subcall function 0000000140019524: free.LIBCMT ref: 00000001400195D2
Part of subcall function 0000000140019524: free.LIBCMT ref: 00000001400195E4
Part of subcall function 0000000140019524: free.LIBCMT ref: 00000001400195F9
Part of subcall function 0000000140019524: free.LIBCMT ref: 000000014001960E
Part of subcall function 0000000140019524: free.LIBCMT ref: 0000000140019623

free.LIBCMT ref: 0000000140015D10

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

free.LIBCMT ref: 0000000140015D32
__free_lconv_num.LIBCMT ref: 0000000140015D3E
free.LIBCMT ref: 0000000140015D4A
free.LIBCMT ref: 0000000140015D56
free.LIBCMT ref: 0000000140015D7A
free.LIBCMT ref: 0000000140015D8E
free.LIBCMT ref: 0000000140015D9D
free.LIBCMT ref: 0000000140015DA9
free.LIBCMT ref: 0000000140015DD6
free.LIBCMT ref: 0000000140015DFE
free.LIBCMT ref: 0000000140015E18

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: d75b551c36e4cdf0e0863f973bd3fdc533001a4c5333fda6d835f932719aced2
Instruction ID: 16ba26a8fd9490488f59f1c6bfc00149bb069836530eabfd1ba7492b4cef4162
Opcode Fuzzy Hash: d75b551c36e4cdf0e0863f973bd3fdc533001a4c5333fda6d835f932719aced2
Instruction Fuzzy Hash: 8641FA32612644C5FE67EB62D4543E823A0AB8CBD5F484432AB0A1F2E5DF35C991C750

Function 000001FE8FAEB3D4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAEB404

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

_getptd.LIBCMT ref: 000001FE8FAEB418
_getptd.LIBCMT ref: 000001FE8FAEB452
_getptd.LIBCMT ref: 000001FE8FAEB45E
_getptd.LIBCMT ref: 000001FE8FAEB46A
_CreateFrameInfo.LIBCMT ref: 000001FE8FAEB47F

Part of subcall function 000001FE8FAE5CFC: _getptd.LIBCMT ref: 000001FE8FAE5D08
Part of subcall function 000001FE8FAE5CFC: _getptd.LIBCMT ref: 000001FE8FAE5D16
Part of subcall function 000001FE8FAE5CFC: _getptd.LIBCMT ref: 000001FE8FAE5D2A

_getptd.LIBCMT ref: 000001FE8FAEB49D
_getptd.LIBCMT ref: 000001FE8FAEB5A3
_getptd.LIBCMT ref: 000001FE8FAEB5AF

Strings

csm, xrefs: 000001FE8FAEB563

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: bc2077fb82e993c6a671ee9943b81fbe161145c008b44bcd5635a92dfd771e75
Instruction ID: 12396a63d9aed3818192607fabb08f35e8a67458488577cfb2ebcd8ca7e08b51
Opcode Fuzzy Hash: bc2077fb82e993c6a671ee9943b81fbe161145c008b44bcd5635a92dfd771e75
Instruction Fuzzy Hash: F4416C36114B8282DA70AB12E4503EE73E8F789BF4F444275EFAD07BA2DB38D0568710

Function 0000000140012204 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140012234

Part of subcall function 000000014000E7A0: _amsg_exit.LIBCMT ref: 000000014000E7B6

_getptd.LIBCMT ref: 0000000140012248
_getptd.LIBCMT ref: 0000000140012282
_getptd.LIBCMT ref: 000000014001228E
_getptd.LIBCMT ref: 000000014001229A
_CreateFrameInfo.LIBCMT ref: 00000001400122AF

Part of subcall function 000000014000D3EC: _getptd.LIBCMT ref: 000000014000D3F8
Part of subcall function 000000014000D3EC: _getptd.LIBCMT ref: 000000014000D406
Part of subcall function 000000014000D3EC: _getptd.LIBCMT ref: 000000014000D41A

_getptd.LIBCMT ref: 00000001400122CD
_getptd.LIBCMT ref: 00000001400123D3
_getptd.LIBCMT ref: 00000001400123DF

Strings

csm, xrefs: 0000000140012393

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: 8f222e020112ae842c3c4c68fcc30c68a10daa5b881025fc26f49261b3f43a6e
Instruction ID: acdaeb1b95411d8282de9e9f47ccf94d55616218c24a67ee76c99068014e07bf
Opcode Fuzzy Hash: 8f222e020112ae842c3c4c68fcc30c68a10daa5b881025fc26f49261b3f43a6e
Instruction Fuzzy Hash: 1A415936114B8582E6719B12A4403EE77A4F388BE4F444625EF9D0BBA6DB39C5A5C701

Function 000001FE8FAE2CD0 Relevance: 16.6, APIs: 11, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000001FE8FAE2D14
WSASetLastError.WS2_32 ref: 000001FE8FAE2D26
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE2D30

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 5e2c67101b115eefd770f9530645276a89eac283016001a0172ea502d058b9de
Instruction ID: fc58875e53b704ae01dc2c66b2516eda3f8662aa826a3883cff6222ef676e99c
Opcode Fuzzy Hash: 5e2c67101b115eefd770f9530645276a89eac283016001a0172ea502d058b9de
Instruction Fuzzy Hash: 15418F31710E9286F624BB26E8647FA23D1F785BF1F5442B19F56872B0CF38D4468360

Function 000000014000B1E0 Relevance: 16.6, APIs: 11, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000B224
WSASetLastError.WS2_32 ref: 000000014000B236
LeaveCriticalSection.KERNEL32 ref: 000000014000B240

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: def6dd5b1c47440ac98d2b9d2c95777227165119e6d7f2433b2e2f5064c1cd78
Instruction ID: 0d0f588757f3907c692e3f93d38da76148eed5c00e8cc8052bc9189f3b05855d
Opcode Fuzzy Hash: def6dd5b1c47440ac98d2b9d2c95777227165119e6d7f2433b2e2f5064c1cd78
Instruction Fuzzy Hash: 77415E75310A8086E666DB2BB8153EE6251F78DBE1F585121BF6A877F4DF39C8849300

Function 00007FF665B70B60 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF665B70B77
GetProcAddress.KERNEL32 ref: 00007FF665B70B8C
QueryPerformanceFrequency.KERNEL32 ref: 00007FF665B70B9E
QueryPerformanceCounter.KERNEL32 ref: 00007FF665B70BD0
GetTickCount.KERNEL32 ref: 00007FF665B70C30

Strings

GetTickCount64, xrefs: 00007FF665B70B82
QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded., xrefs: 00007FF665B70BF8
default, xrefs: 00007FF665B70BF1
kernel32, xrefs: 00007FF665B70B70

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: PerformanceQuery$AddressCountCounterFrequencyHandleModuleProcTick
String ID: GetTickCount64$QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded.$default$kernel32
API String ID: 3248421294-3823320790
Opcode ID: c59a33e538b6d16315bac9845251cd1345709dcc26705cc9562fa14b61e4d09c
Instruction ID: 52dfb27d14476bcc42a61baa1ed047dd73a87366ac874dffb1532bb3c2bb16ee
Opcode Fuzzy Hash: c59a33e538b6d16315bac9845251cd1345709dcc26705cc9562fa14b61e4d09c
Instruction Fuzzy Hash: FC212A65F09B87C6FB008B60E99623563B0AF99F44F484139D44ECA3A4EF6CE984C704

Function 000001FE8FAD9DC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD9E11
RegDeleteValueW.ADVAPI32 ref: 000001FE8FAD9E1F
RegCloseKey.ADVAPI32 ref: 000001FE8FAD9E2A
RegCreateKeyW.ADVAPI32 ref: 000001FE8FAD9E4A
lstrlenW.KERNEL32 ref: 000001FE8FAD9E57
RegSetValueExW.ADVAPI32 ref: 000001FE8FAD9E79
RegCloseKey.ADVAPI32 ref: 000001FE8FAD9E84

Strings

AppEvents, xrefs: 000001FE8FAD9DEE
Network, xrefs: 000001FE8FAD9DE7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3197061591-3733486940
Opcode ID: 36e90fbbfea98bc956dd5aeff78b519238191f212cae5700653f1760c57783c9
Instruction ID: 4c491a5b61f04888b301c9977f51a6ff9124572e8417e50c7aef076cccecc85d
Opcode Fuzzy Hash: 36e90fbbfea98bc956dd5aeff78b519238191f212cae5700653f1760c57783c9
Instruction Fuzzy Hash: 4F212436314A8186EB10AB12F844B9AB3A1F784BF5F540231EE5947BA8CF7CC146CB04

Function 000001FE8FAF0D3C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000001FE8FAF0DD6
malloc.LIBCMT ref: 000001FE8FAF0E3F
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAF0E73
LCMapStringW.KERNEL32 ref: 000001FE8FAF0E9A
LCMapStringW.KERNEL32 ref: 000001FE8FAF0EE2
malloc.LIBCMT ref: 000001FE8FAF0F3F

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

LCMapStringW.KERNEL32 ref: 000001FE8FAF0F74
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAF0FB4
free.LIBCMT ref: 000001FE8FAF0FC8
free.LIBCMT ref: 000001FE8FAF0FD9

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 6d8b7b3dc11a15fff77c7ccf32e137587439f77b0189d775a4a507dbfda42e36
Instruction ID: 83a3a6060909d24d368d5337b72e80dfdd9bfd14edaeebcb55915b1a02ab89ef
Opcode Fuzzy Hash: 6d8b7b3dc11a15fff77c7ccf32e137587439f77b0189d775a4a507dbfda42e36
Instruction Fuzzy Hash: 57817032704BC286EB24AF2594807BA66D5F748BF4F548775AB598BBE4DB38C5028710

Function 000001FE8FAD4390 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000001FE8FAD43AD
OpenProcess.KERNEL32 ref: 000001FE8FAD43BD
OpenProcessToken.ADVAPI32 ref: 000001FE8FAD43E5
CloseHandle.KERNEL32 ref: 000001FE8FAD43F2
SysStringLen.OLEAUT32 ref: 000001FE8FAD4440
SysStringLen.OLEAUT32 ref: 000001FE8FAD4453
CloseHandle.KERNEL32 ref: 000001FE8FAD44BD
CloseHandle.KERNEL32 ref: 000001FE8FAD44C6
SysFreeString.OLEAUT32 ref: 000001FE8FAD44FC
SysFreeString.OLEAUT32 ref: 000001FE8FAD4539

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: String$CloseHandleProcess$FreeOpen$CurrentToken
String ID:
API String ID: 3697972778-0
Opcode ID: c0b0e474b926fcc330e320d504bf00c551296146189a67d64404ddb141be6ede
Instruction ID: 3d1772c91f47309d4b6c0dce76209b029146803892bbaf637fe608f91bcff23d
Opcode Fuzzy Hash: c0b0e474b926fcc330e320d504bf00c551296146189a67d64404ddb141be6ede
Instruction Fuzzy Hash: 76515E76201AC282EAA5BB11A4107F963E4FB84FE4F1842758F5A4B6A5DF38C8568740

Function 000001FE8FAF0B64 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF0BAB
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF0BB7
_errno.LIBCMT ref: 000001FE8FAF0C01
_errno.LIBCMT ref: 000001FE8FAF0C0C
_errno.LIBCMT ref: 000001FE8FAF0C3E
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF0C48
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAF0CBA
GetLastError.KERNEL32 ref: 000001FE8FAF0CD7
_errno.LIBCMT ref: 000001FE8FAF0CFD
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF0D09

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: 8a0d1357173deac69c26e3324236e112c1b1041ebc1a21b94e928fbcca27f017
Instruction ID: 1929503149e62f1094f8b893f0f8665382d47a5d76bdbfd505ce10182d904436
Opcode Fuzzy Hash: 8a0d1357173deac69c26e3324236e112c1b1041ebc1a21b94e928fbcca27f017
Instruction Fuzzy Hash: BB518F32601AC28AFB61BB21C4943FC76E0EB40BF8F5487B59F594AAE5DB3885478701

Function 000000014001764C Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140017693
_invalid_parameter_noinfo.LIBCMT ref: 000000014001769F
_errno.LIBCMT ref: 00000001400176E9
_errno.LIBCMT ref: 00000001400176F4
_errno.LIBCMT ref: 0000000140017726
_invalid_parameter_noinfo.LIBCMT ref: 0000000140017730
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,000000014001781F), ref: 00000001400177A2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,000000014001781F), ref: 00000001400177BF
_errno.LIBCMT ref: 00000001400177E5
_invalid_parameter_noinfo.LIBCMT ref: 00000001400177F1

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: c6db97a4bb20f59843c30963b0e0be0a0672b1597ed532e94f36ced9df2088c5
Instruction ID: 5abd1bc9279174208ef5b362f3903396ae01f38917feaa785e0acb090f5a34c8
Opcode Fuzzy Hash: c6db97a4bb20f59843c30963b0e0be0a0672b1597ed532e94f36ced9df2088c5
Instruction Fuzzy Hash: 6251F572604B818AFB67CB2BD9407EC36B0AB4C7E8F184621FB1D1BAE5DB3984418711

Function 000000014000CA2C Relevance: 15.1, APIs: 10, Instructions: 87COMMON

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014000CA96
_FF_MSGBANNER.LIBCMT ref: 000000014000CAC1
_RTC_Initialize.LIBCMT ref: 000000014000CADA
_amsg_exit.LIBCMT ref: 000000014000CAEE
GetCommandLineW.KERNEL32 ref: 000000014000CAF3
__wsetargv.LIBCMT ref: 000000014000CB0C
_amsg_exit.LIBCMT ref: 000000014000CB1A
_amsg_exit.LIBCMT ref: 000000014000CB2D
_cinit.LIBCMT ref: 000000014000CB37
_amsg_exit.LIBCMT ref: 000000014000CB42

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
String ID:
API String ID: 2949660345-0
Opcode ID: 0f4283b1760a3c16a40ded28c3f021eb12903efaddd1541ce61f6a1fad5ddaeb
Instruction ID: 2683727396221e556a9897ded846af282ad421c8bea8ad49c2a50014e4c8efa3
Opcode Fuzzy Hash: 0f4283b1760a3c16a40ded28c3f021eb12903efaddd1541ce61f6a1fad5ddaeb
Instruction Fuzzy Hash: 31313EB071164586FB57EBA7B4527F92291AB8E3C4F044039B701876F3DF788840E652

Function 00007FF665B6FE10 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 295COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00007FF665B6FF6A
WaitForMultipleObjects.KERNEL32 ref: 00007FF665B6FFC5

Part of subcall function 00007FF665B49CB0: _CxxThrowException.LIBVCRUNTIME ref: 00007FF665B49CDF

CloseHandle.KERNEL32 ref: 00007FF665B70081
GetLastError.KERNEL32 ref: 00007FF665B701DB
TlsGetValue.KERNEL32 ref: 00007FF665B70254

Strings

QThread internal error while waiting for adopted threads: %d, xrefs: 00007FF665B701E4
@, xrefs: 00007FF665B6FF87
default, xrefs: 00007FF665B6FE55

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: MultipleObjectsWait$CloseErrorExceptionHandleLastThrowValue
String ID: @$QThread internal error while waiting for adopted threads: %d$default
API String ID: 260478653-2992040041
Opcode ID: a17424416e23380ba081f0f70fe6da9368696a7339bf18603e62f94c7f294120
Instruction ID: 61654f7538796bda9ea961b96ba8a1aa2230c6b72381fb13ca79788c912ce372
Opcode Fuzzy Hash: a17424416e23380ba081f0f70fe6da9368696a7339bf18603e62f94c7f294120
Instruction Fuzzy Hash: 95C1C072A18686C6EF149B25D4622B977B1FB8AF94F148236D91D8B7E5CE3CE841C700

Function 000001FE8FAEA424 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 000001FE8FAEA445

Part of subcall function 000001FE8FAE79CC: Sleep.KERNEL32 ref: 000001FE8FAE7A11

GetFileType.KERNEL32 ref: 000001FE8FAEA5B0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001FE8FAEA5EE

Strings

@, xrefs: 000001FE8FAEA6A9

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 70613ee20f0b469d2dc4fa8b7aa00a0ec4ba75fb24369761d5266e73a85542bd
Instruction ID: 29b2add211cf3e3c009c87497b217406fbe1fe14e3223f4a6b616f89e5c80ef5
Opcode Fuzzy Hash: 70613ee20f0b469d2dc4fa8b7aa00a0ec4ba75fb24369761d5266e73a85542bd
Instruction Fuzzy Hash: 3C814A72200BC296EB24AF24D8A47A937E4E745BB4F548375CB7A476E0EB38C45BC310

Function 000001FE8FAD3DB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000001FE8FAD3E19
RegQueryInfoKeyW.ADVAPI32 ref: 000001FE8FAD3E74
RegEnumKeyExW.ADVAPI32 ref: 000001FE8FAD3F09
lstrlenW.KERNEL32 ref: 000001FE8FAD3F13
lstrlenW.KERNEL32 ref: 000001FE8FAD3F22

Part of subcall function 000001FE8FAE4574: _errno.LIBCMT ref: 000001FE8FAE4593
Part of subcall function 000001FE8FAE4574: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE459F

Part of subcall function 000001FE8FAE4574: _errno.LIBCMT ref: 000001FE8FAE45E9

RegCloseKey.ADVAPI32 ref: 000001FE8FAD3F6B
lstrlenW.KERNEL32 ref: 000001FE8FAD3F88

Strings

Software\Tencent\Plugin\VAS, xrefs: 000001FE8FAD3DFD

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: lstrlen$_errno$CloseEnumInfoOpenQuery_invalid_parameter_noinfo
String ID: Software\Tencent\Plugin\VAS
API String ID: 47975445-3343197220
Opcode ID: e7f4e84029ec382a2d93beb0de2337fa29a23218f62e48d748265e7efd93be2b
Instruction ID: 4d3c540ac3fe7fbc2930aa7ec1824fd19db227db47f64a0c6d21e651698029ff
Opcode Fuzzy Hash: e7f4e84029ec382a2d93beb0de2337fa29a23218f62e48d748265e7efd93be2b
Instruction Fuzzy Hash: 52516236614BC286E760EB21F8507EE73E4F788798F900266DB8D47A68DF38C556CB40

Function 000001FE8FAF23A4 Relevance: 13.7, APIs: 9, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF23F5
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF2400

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 5b15c66cd6d411bd027aebc04f631a0e3f4aaa2a84db44a19bfb65910699da26
Instruction ID: 1692bfa309ee7df44431f29efea48a696cef7733e47b6388b1c0a0edda1d582c
Opcode Fuzzy Hash: 5b15c66cd6d411bd027aebc04f631a0e3f4aaa2a84db44a19bfb65910699da26
Instruction Fuzzy Hash: 12A17F726116C286FBA0AB65A4503F976E4F7447F4F1447B5DF590AAF8DB38C4838720

Function 00000001400184E0 Relevance: 13.6, APIs: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_getbuf.LIBCMT ref: 0000000140018549
_fileno.LIBCMT ref: 000000014001855B
_fileno.LIBCMT ref: 0000000140018576
_fileno.LIBCMT ref: 0000000140018583
_fileno.LIBCMT ref: 0000000140018592
_fileno.LIBCMT ref: 00000001400185B9
_fileno.LIBCMT ref: 00000001400185C6
_fileno.LIBCMT ref: 00000001400185D3
_fileno.LIBCMT ref: 00000001400185E2

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _fileno$_getbuf
String ID:
API String ID: 92340818-0
Opcode ID: cb7261e508c6910e47f60d76cd7adf87120ddc1c9827de64f9d8a6a9491afa45
Instruction ID: bd12791018685ae12ce60ba58c1b3ccf989c285c21f985114249dd3a83be8bb7
Opcode Fuzzy Hash: cb7261e508c6910e47f60d76cd7adf87120ddc1c9827de64f9d8a6a9491afa45
Instruction Fuzzy Hash: 9F51F83220564042EB769B2796843A837A0FB5D7D8F140215FF594B6E1DB39CA62C740

Function 000001FE8FAE3110 Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000001FE8FAE313E
EnterCriticalSection.KERNEL32 ref: 000001FE8FAE3162
SetLastError.KERNEL32 ref: 000001FE8FAE3175
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE317F

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 647e02dd2c1bdac2cb0593e1bcada1d5777c8686bc1b852d6813ed41c29527b2
Instruction ID: 169804850c9e5c8eb619a9709744cb488e3a2e5ee206114489ae5d4b2ca706ef
Opcode Fuzzy Hash: 647e02dd2c1bdac2cb0593e1bcada1d5777c8686bc1b852d6813ed41c29527b2
Instruction Fuzzy Hash: C0416236200B818AE754BB21A458ABA37E5F759BE0F1552B5DF56877A1CF34C846CB00

Function 000000014000B620 Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000000014000B64E
EnterCriticalSection.KERNEL32 ref: 000000014000B672
SetLastError.KERNEL32 ref: 000000014000B685
LeaveCriticalSection.KERNEL32 ref: 000000014000B68F

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 2fbd16e4ec5510598824a37ba1205699a4bd40869d2e8a2b80a5097fdbc507e3
Instruction ID: 8ffbf57962d8f6b56271dbb7e8aa7d8ce0d2d0c9d8d6ac86f58dec523bcd15a7
Opcode Fuzzy Hash: 2fbd16e4ec5510598824a37ba1205699a4bd40869d2e8a2b80a5097fdbc507e3
Instruction Fuzzy Hash: 1F41A17620464086E756EB22B408BEE33A5F78DBD5F145239EF0A877A1DF39C845C700

Function 000001FE8FAE2690 Relevance: 13.6, APIs: 9, Instructions: 109networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE15C0: SwitchToThread.KERNEL32 ref: 000001FE8FAE15FA

SetLastError.KERNEL32 ref: 000001FE8FAE2761
GetLastError.KERNEL32 ref: 000001FE8FAE27D8

Part of subcall function 000001FE8FAE0FD0: WSAEventSelect.WS2_32 ref: 000001FE8FAE0FF8
Part of subcall function 000001FE8FAE0FD0: connect.WS2_32 ref: 000001FE8FAE101D
Part of subcall function 000001FE8FAE0FD0: WSAGetLastError.WS2_32 ref: 000001FE8FAE102C

ResetEvent.KERNEL32 ref: 000001FE8FAE27A6
WSAGetLastError.WS2_32 ref: 000001FE8FAE27C9
WSAGetLastError.WS2_32 ref: 000001FE8FAE27F1
WSAGetLastError.WS2_32 ref: 000001FE8FAE2800
SetLastError.KERNEL32 ref: 000001FE8FAE280F
GetLastError.KERNEL32 ref: 000001FE8FAE2827
SetLastError.KERNEL32 ref: 000001FE8FAE283A

Part of subcall function 000001FE8FAE0EF0: htons.WS2_32 ref: 000001FE8FAE0F64
Part of subcall function 000001FE8FAE0EF0: bind.WS2_32 ref: 000001FE8FAE0F98

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$Event$ResetSelectSwitchThreadbindconnecthtons
String ID:
API String ID: 1298600207-0
Opcode ID: 6976ed68a7b460f545eb79997a661905af692d36da6c8cd53b89725313569a83
Instruction ID: 4c23914e3dfb989917d6f90a5904bc1e6127408a7af01ded7465db83fb26b6c7
Opcode Fuzzy Hash: 6976ed68a7b460f545eb79997a661905af692d36da6c8cd53b89725313569a83
Instruction Fuzzy Hash: E1416D32604F8282EB50AB21DA647BE73E5F748BE0F104165DF8A47BA4DF78D466C750

Function 00007FF665B497B0 Relevance: 13.6, APIs: 9, Instructions: 91COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF665B497E4
VerSetConditionMask.KERNEL32 ref: 00007FF665B497F3
VerifyVersionInfoW.KERNEL32 ref: 00007FF665B49842
VerifyVersionInfoW.KERNEL32 ref: 00007FF665B4986A
VerSetConditionMask.KERNEL32 ref: 00007FF665B49889
VerSetConditionMask.KERNEL32 ref: 00007FF665B4989A
VerSetConditionMask.KERNEL32 ref: 00007FF665B498AB
VerifyVersionInfoW.KERNEL32 ref: 00007FF665B498C1
VerifyVersionInfoW.KERNEL32 ref: 00007FF665B498EA

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 10c6aff73516db3e0e7fc4b1498109461d770d16e70cbd1f77bc26cf72f8573f
Instruction ID: c981f04433680753e447494cc8844a74912169d29d14cb6a02fa6cb3c3d25525
Opcode Fuzzy Hash: 10c6aff73516db3e0e7fc4b1498109461d770d16e70cbd1f77bc26cf72f8573f
Instruction Fuzzy Hash: 9141FB36A09641C7E724CF21E85566AB7B1F788F84F048139DA8E8BB58DF3CD949CB44

Function 000001FE8FAF5CB8 Relevance: 13.6, APIs: 9, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAF5CE1
_errno.LIBCMT ref: 000001FE8FAF5CEA
__doserrno.LIBCMT ref: 000001FE8FAF5D48
_errno.LIBCMT ref: 000001FE8FAF5D4F
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF5DB3

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction ID: 837bef916605c8ac553493ff05beba084a74ecbb11fd3c8de8f430ef8a4a898e
Opcode Fuzzy Hash: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction Fuzzy Hash: 7D31BF326216C28AE212BF6598A53FE36D5A7807F0F054675AB110B3F2DA79D843C750

Function 000000014001C928 Relevance: 13.6, APIs: 9, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014001C951
_errno.LIBCMT ref: 000000014001C95A
__doserrno.LIBCMT ref: 000000014001C9B8
_errno.LIBCMT ref: 000000014001C9BF
_invalid_parameter_noinfo.LIBCMT ref: 000000014001CA23

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 336b4f771e014f07d6b5d16777afb6b36013b06194a566b8644ffbecc7b22c4c
Instruction ID: d67d9c6e19b896fe05e4031d09c239c26fa44e29737bb2cce02eac4e522d97ca
Opcode Fuzzy Hash: 336b4f771e014f07d6b5d16777afb6b36013b06194a566b8644ffbecc7b22c4c
Instruction Fuzzy Hash: 20313772320A9485E313AF67AC817DE36A0AB487E8F554919FB241F3F2EA79C8418351

Function 000001FE8FAE2BC0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000001FE8FAE2BF6
TryEnterCriticalSection.KERNEL32 ref: 000001FE8FAE2C0F
TryEnterCriticalSection.KERNEL32 ref: 000001FE8FAE2C2B
SetLastError.KERNEL32 ref: 000001FE8FAE2C47
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE2C51
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE2C5B

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: aceef0d8f6cd6c68b7d24092875a9f92703ae0e2651d92f7e848195387b296dd
Instruction ID: 4d1ce156afcd9168f97d55c1247e61d8396d7c94bd1c6877a89045127428e143
Opcode Fuzzy Hash: aceef0d8f6cd6c68b7d24092875a9f92703ae0e2651d92f7e848195387b296dd
Instruction Fuzzy Hash: 20216F31604E828AE764AB25E8103BA23E5F789BF4F2403709F579B6B4CF38C4468710

Function 000000014000B0D0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000000014000B106
TryEnterCriticalSection.KERNEL32 ref: 000000014000B11F
TryEnterCriticalSection.KERNEL32 ref: 000000014000B13B
SetLastError.KERNEL32 ref: 000000014000B157
LeaveCriticalSection.KERNEL32 ref: 000000014000B161
LeaveCriticalSection.KERNEL32 ref: 000000014000B16B

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 878d48c2bd4a3e8e973cbacb6bf4c101ecbb597781cdf4372316b3ca222b11bc
Instruction ID: 55d2b20e9bc2e8957781bccd7ba62b74702bb4c1efc0d635e8e85446c446fb56
Opcode Fuzzy Hash: 878d48c2bd4a3e8e973cbacb6bf4c101ecbb597781cdf4372316b3ca222b11bc
Instruction Fuzzy Hash: 65216D75204A8086E7A6DB27B8203EE63A5F78DBD4F941221FF9A876B4CF38C445C700

Function 00007FF665BB0D80 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25D0
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25E7
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25FE
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB2615
Part of subcall function 00007FF665BB2530: GetCurrentProcess.KERNEL32 ref: 00007FF665BB2630
Part of subcall function 00007FF665BB2530: OpenProcessToken.ADVAPI32 ref: 00007FF665BB265C
Part of subcall function 00007FF665BB2530: GetTokenInformation.ADVAPI32 ref: 00007FF665BB2688
Part of subcall function 00007FF665BB2530: GetTokenInformation.ADVAPI32 ref: 00007FF665BB26BC
Part of subcall function 00007FF665BB2530: GetLengthSid.ADVAPI32 ref: 00007FF665BB26CC
Part of subcall function 00007FF665BB2530: CopySid.ADVAPI32 ref: 00007FF665BB26EA

GetCurrentProcess.KERNEL32 ref: 00007FF665BB0DC6
OpenProcessToken.ADVAPI32 ref: 00007FF665BB0DDA
CloseHandle.KERNEL32 ref: 00007FF665BB0E94

Strings

HOMEPATH, xrefs: 00007FF665BB0F58
HOME, xrefs: 00007FF665BB10B8
HOMEDRIVE, xrefs: 00007FF665BB0F78
USERPROFILE, xrefs: 00007FF665BB0EB5

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProcProcessToken$CurrentInformationOpen$CloseCopyHandleLength
String ID: HOME$HOMEDRIVE$HOMEPATH$USERPROFILE
API String ID: 2161948334-698974742
Opcode ID: 522bbb0ce41df5e904172ec52821add264b1887ae4c821b0e5e19679b0eeeca8
Instruction ID: 4f8a5d37a26711e69a771527ac0c4a57723b620f6844c51a254d16b8979b0540
Opcode Fuzzy Hash: 522bbb0ce41df5e904172ec52821add264b1887ae4c821b0e5e19679b0eeeca8
Instruction Fuzzy Hash: F3E12B32B05A01CAEB10DF65D8A22BD33B0EB4AB98F584531DA1DDB6D9DE79EC05C740

Function 000001FE8FAD7F30 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 000001FE8FAD80B0

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

Part of subcall function 000001FE8FAE3E0C: _errno.LIBCMT ref: 000001FE8FAE3E2B
Part of subcall function 000001FE8FAE3E0C: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE3E37

swprintf.LIBCMT ref: 000001FE8FAD81DA
swprintf.LIBCMT ref: 000001FE8FAD825B

Strings

plugmark, xrefs: 000001FE8FAD7FD2
%s %s, xrefs: 000001FE8FAD809C, 000001FE8FAD8115, 000001FE8FAD81C6, 000001FE8FAD8247
onlyloadinmyself, xrefs: 000001FE8FAD7F57

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf$_errno_invalid_parameter_noinfomalloc
String ID: %s %s$onlyloadinmyself$plugmark
API String ID: 3059695456-591889663
Opcode ID: bd173990919955496a5d2fd31b15c617698a0f7984e0d23985bbef0f184765d7
Instruction ID: e7fdc0437edfa76e26123e2c12e6c855a32f8b9588b84182fa9a0d8a3c3acee8
Opcode Fuzzy Hash: bd173990919955496a5d2fd31b15c617698a0f7984e0d23985bbef0f184765d7
Instruction Fuzzy Hash: 0FA19A36300AC696EB10FF66D4943F967A1EB89BE8F448075DF5C4BBA6DE39C1428350

Function 00007FF665B705C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF665B70708
GetThreadPriority.KERNEL32 ref: 00007FF665B70711
SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Strings

QThread::start: Failed to create thread, xrefs: 00007FF665B706A9
QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Priority$CurrentResume
String ID: QThread::start: Failed to create thread$QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 682968308-3963483154
Opcode ID: a895a4ec4cb16228a666090ac22768035e26b0b9b9618cbf51015f0cb63221b3
Instruction ID: a1ded69b3d065f431e0f22bc0a9608a5e670c05e6796fa01e221c4a43ce73c1f
Opcode Fuzzy Hash: a895a4ec4cb16228a666090ac22768035e26b0b9b9618cbf51015f0cb63221b3
Instruction Fuzzy Hash: 83418132A08746C2EA549B25E5262A863B0FF89B74F044335DA7D8B2E5DF3DF854CB00

Function 000001FE8FAD9780 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000001FE8FAD97FD
WriteFile.KERNEL32 ref: 000001FE8FAD982E
CloseHandle.KERNEL32 ref: 000001FE8FAD983B
lstrlenW.KERNEL32 ref: 000001FE8FAD9846
wsprintfW.USER32 ref: 000001FE8FAD986C

Strings

%s %s, xrefs: 000001FE8FAD9865

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrlenwsprintf
String ID: %s %s
API String ID: 2369136734-2939940506
Opcode ID: 09ce7afcb9fb6050578c75cf102adc5c64cf37ae564d7fe82caabfb4846adaf7
Instruction ID: 5e8c0b2c05086ff81545193b3df1766b050bd6e0c0a29536aaf338ece2553782
Opcode Fuzzy Hash: 09ce7afcb9fb6050578c75cf102adc5c64cf37ae564d7fe82caabfb4846adaf7
Instruction Fuzzy Hash: 5C315E31314AC695FB20EF21E4547EAA3A1F788BE4F5442619B4947AB8DF39D64ACB00

Function 0000000140002950 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67sleepCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000000140002A0E
GetExitCodeProcess.KERNEL32 ref: 0000000140002A21
Sleep.KERNEL32 ref: 0000000140002A3A
wprintf.LIBCMT ref: 0000000140002A4B

Strings

houmenpeizhi, xrefs: 0000000140002994
denglupeizhi, xrefs: 000000014000295D
Unable to check if process %d is running., xrefs: 0000000140002A42

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Process$CodeExitOpenSleepwprintf
String ID: Unable to check if process %d is running.$denglupeizhi$houmenpeizhi
API String ID: 412140179-1807746241
Opcode ID: 5968e189d384624b144a4a2ebf5dec38f3adb6ed935af75678279542da2e5d03
Instruction ID: e11b3937a4fd89b096527d988a4285e19f56a7d78021119546ba1c0690918bab
Opcode Fuzzy Hash: 5968e189d384624b144a4a2ebf5dec38f3adb6ed935af75678279542da2e5d03
Instruction Fuzzy Hash: BC217CB171464182EB62DB23B8803F973A1A78D7D4F540529FB4A477B5EF78C8458B01

Function 000001FE8FADD3C0 Relevance: 12.1, APIs: 8, Instructions: 120synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000001FE8FADD3F9
SetLastError.KERNEL32 ref: 000001FE8FADD408
CloseHandle.KERNEL32 ref: 000001FE8FADD41D
CloseHandle.KERNEL32 ref: 000001FE8FADD445
CloseHandle.KERNEL32 ref: 000001FE8FADD46D
DeleteCriticalSection.KERNEL32 ref: 000001FE8FADD4F5
free.LIBCMT ref: 000001FE8FADD538
CloseHandle.KERNEL32 ref: 000001FE8FADD55B

Part of subcall function 000001FE8FAE1710: GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE171D

Part of subcall function 000001FE8FAD72B0: GdipDisposeImage.GDIPLUS ref: 000001FE8FAD72ED
Part of subcall function 000001FE8FAD72B0: GdipFree.GDIPLUS ref: 000001FE8FAD72FB

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandle$Gdip$CriticalCurrentDeleteDisposeErrorFreeImageLastObjectSectionSingleThreadWaitfree
String ID:
API String ID: 1027730736-0
Opcode ID: 347c1ec12ef1d2ec7bf1145c1b6afb1a60276238f096c0ea2858b635a1103b41
Instruction ID: 097861fca859055c604faedc1cc27ebaa9a33627ea2ac9120ce1a40254926bd4
Opcode Fuzzy Hash: 347c1ec12ef1d2ec7bf1145c1b6afb1a60276238f096c0ea2858b635a1103b41
Instruction Fuzzy Hash: 33512C72202BC286EB56BF64D4507FD23E4EB80BE8F5847759F598A6B5CF34C8468310

Function 00000001400058D0 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140005909
SetLastError.KERNEL32 ref: 0000000140005918
CloseHandle.KERNEL32 ref: 000000014000592D
CloseHandle.KERNEL32 ref: 0000000140005955
CloseHandle.KERNEL32 ref: 000000014000597D
DeleteCriticalSection.KERNEL32 ref: 0000000140005A05
free.LIBCMT ref: 0000000140005A48
CloseHandle.KERNEL32 ref: 0000000140005A6B

Part of subcall function 0000000140009C20: GetCurrentThreadId.KERNEL32 ref: 0000000140009C2D

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWaitfree
String ID:
API String ID: 429269332-0
Opcode ID: 940c03b3e391b6f0df8739824c821e814237e079157a3131c643470a4da37853
Instruction ID: d203ec23ff589d5f1a3d7843f840c05f4e4c625ef31925fb42e6c590769b3a67
Opcode Fuzzy Hash: 940c03b3e391b6f0df8739824c821e814237e079157a3131c643470a4da37853
Instruction Fuzzy Hash: F15176B6206B4185EB56EF26E4503ED23A4FB4ABE5F184235EF594B2F5CF34C8418314

Function 00007FF665B63920 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF665B639CA

Strings

signal, xrefs: 00007FF665B63953
method, xrefs: 00007FF665B63936
slot, xrefs: 00007FF665B6395C
QObject::%s: No such %s %s::%s%s%s, xrefs: 00007FF665B63A45
QObject::%s: Parentheses expected, %s %s::%s%s%s, xrefs: 00007FF665B63A21
in , xrefs: 00007FF665B639F1
default, xrefs: 00007FF665B639DB

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: strchr
String ID: in $QObject::%s: No such %s %s::%s%s%s$QObject::%s: Parentheses expected, %s %s::%s%s%s$default$method$signal$slot
API String ID: 2830005266-1438824482
Opcode ID: ed1abf882f2c03d4d3c043e58149050cc9689118d8bd9510a25f0b8134be170e
Instruction ID: ade573d5f165cfb7b2e581b7d0b3ee331e54b79dbd748431a6db4d7e83ba1569
Opcode Fuzzy Hash: ed1abf882f2c03d4d3c043e58149050cc9689118d8bd9510a25f0b8134be170e
Instruction Fuzzy Hash: 9641D722A09F55C2EB60CF11E9552A977B0FB8AF90F444135DAAE8BB95DF3CD885C700

Function 000000014001B9B0 Relevance: 12.1, APIs: 8, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001B9C7
_invalid_parameter_noinfo.LIBCMT ref: 000000014001B9D2

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 5ee1e5f1307faef82a43cc4adb80dc0793dd143b06ed78ac7dba27c580814ce9
Instruction ID: a3e1252da51eb40aef0e1f1842fc989bfeecaf9cbbee513c674de7a38251166d
Opcode Fuzzy Hash: 5ee1e5f1307faef82a43cc4adb80dc0793dd143b06ed78ac7dba27c580814ce9
Instruction Fuzzy Hash: 5341C53221064146EB668B6BD6913EC37A0FF0D7D4F680619FB598B6E1DB36C8A2C741

Function 000000014001BC7C Relevance: 12.1, APIs: 8, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001BC93
_invalid_parameter_noinfo.LIBCMT ref: 000000014001BC9E

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: b463df3787636ec145c702a7e3d2ae7b8437b1aa176ea829ece4ebc51790ba93
Instruction ID: 19bf9ec2fef539587d3f7cbfad646731e590394261dcb9038f5f8cf91364423f
Opcode Fuzzy Hash: b463df3787636ec145c702a7e3d2ae7b8437b1aa176ea829ece4ebc51790ba93
Instruction Fuzzy Hash: 9541C83221064192EB6A9B7BE6413EC37A0F75D7D4F280615FB598B6F1DB35C862C740

Function 000001FE8FADF160 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000001FE8FADF376
malloc.LIBCMT ref: 000001FE8FADF45D

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

Strings

input probe, xrefs: 000001FE8FADF4D5
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 000001FE8FADF3D1
input wins: %lu, xrefs: 000001FE8FADF4FE
[RI] %d bytes, xrefs: 000001FE8FADF19A
input psh: sn=%lu ts=%lu, xrefs: 000001FE8FADF40E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 71f902fbc9141746ee0dab03b95b383ee8bd6d96c1cc4bade1ccfda00f101f5a
Instruction ID: 6ecbf55a97b0d435282c7e0186d75e92d5a1ff56ed152a3695f4fa4e39b9f110
Opcode Fuzzy Hash: 71f902fbc9141746ee0dab03b95b383ee8bd6d96c1cc4bade1ccfda00f101f5a
Instruction Fuzzy Hash: 24E1B2726046C28AE775BF29E4407BF7BE4F7447E8F144261DB9687BA5DA38D842CB00

Function 0000000140007670 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140007886
malloc.LIBCMT ref: 000000014000796D

Part of subcall function 000000014000CC4C: _FF_MSGBANNER.LIBCMT ref: 000000014000CC7C
Part of subcall function 000000014000CC4C: HeapAlloc.KERNEL32(?,?,00000000,000000014000F17C,?,?,?,00000001400163E9,?,?,?,0000000140016493), ref: 000000014000CCA1
Part of subcall function 000000014000CC4C: _callnewh.LIBCMT ref: 000000014000CCBA
Part of subcall function 000000014000CC4C: _errno.LIBCMT ref: 000000014000CCC5
Part of subcall function 000000014000CC4C: _errno.LIBCMT ref: 000000014000CCD0

Strings

input probe, xrefs: 00000001400079E5
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 00000001400078E1
input wins: %lu, xrefs: 0000000140007A0E
input psh: sn=%lu ts=%lu, xrefs: 000000014000791E
[RI] %d bytes, xrefs: 00000001400076AA

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 799095425a2dc9d550ccedf1bd6281258ec8283532ce5ff5b40e01d74f7f7ecb
Instruction ID: de6d08f0b351256751b5bcb0ce223f13a09a26461f9db43ef935d21b8bb9b3e0
Opcode Fuzzy Hash: 799095425a2dc9d550ccedf1bd6281258ec8283532ce5ff5b40e01d74f7f7ecb
Instruction Fuzzy Hash: DFE194B2B046808BE776CB2AF440B9E7BA1F7897C4F544415EB9A43BA5DB3CD940CB50

Function 000001FE8FAE3530 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

bad allocation, xrefs: 000001FE8FAE3641, 000001FE8FAE3790

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: bad allocation
API String ID: 0-2104205924
Opcode ID: e8f0598dbd45f399888059267843e7640e179de0418f77ab1c84c48c3c6fc7e4
Instruction ID: b90b44c55f19e5c25c7b8b03936d9b7dd26149c2f277ca514ea66a697e274995
Opcode Fuzzy Hash: e8f0598dbd45f399888059267843e7640e179de0418f77ab1c84c48c3c6fc7e4
Instruction Fuzzy Hash: 3681CA3A705FC281EA60EB05E9607BABBE4F784BE4F544171DF4A47BA8DB38C4568700

Function 000000014000BA40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

bad allocation, xrefs: 000000014000BB51, 000000014000BCA0

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: bad allocation
API String ID: 0-2104205924
Opcode ID: 233caf27f60ef1f0f08c67a9209eb84b41dc324597248f97368eaa283a9ca684
Instruction ID: 89edbf9562fe589ac904cbea2c02809d41e58fdd170df48a652667ac1b2e06cb
Opcode Fuzzy Hash: 233caf27f60ef1f0f08c67a9209eb84b41dc324597248f97368eaa283a9ca684
Instruction Fuzzy Hash: D181AF72315A8481EA66DB06F940BEAB7A4F798BC8F544121FF4907BA9EF78C445C700

Function 000001FE8FAD8E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

GetLastInputInfo.USER32 ref: 000001FE8FAD8E80
GetTickCount.KERNEL32 ref: 000001FE8FAD8E86
wsprintfW.USER32 ref: 000001FE8FAD8EB7
GetForegroundWindow.USER32 ref: 000001FE8FAD8EBD
GetWindowTextW.USER32 ref: 000001FE8FAD8ED5

Strings

%d min, xrefs: 000001FE8FAD8EB0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTickmallocwsprintf
String ID: %d min
API String ID: 4179731349-1947832151
Opcode ID: 422eb00071ef3fa8c2918f9fc1214eccc8ab5220253c98e71f31a22b5cd05278
Instruction ID: 48b5a93e36099cd2632bd77974dcd7553db97bb421d2394606cb83f391024469
Opcode Fuzzy Hash: 422eb00071ef3fa8c2918f9fc1214eccc8ab5220253c98e71f31a22b5cd05278
Instruction Fuzzy Hash: B4418E76704AC186E764EB26E4147EABBE0F788BD0F644125EF4A87B64DF38C506CB00

Function 000001FE8FAE53DC Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE95AC: HeapCreate.KERNEL32 ref: 000001FE8FAE95C2
Part of subcall function 000001FE8FAE95AC: GetVersion.KERNEL32 ref: 000001FE8FAE95D4
Part of subcall function 000001FE8FAE95AC: HeapSetInformation.KERNEL32 ref: 000001FE8FAE95F2

_RTC_Initialize.LIBCMT ref: 000001FE8FAE540E
GetCommandLineA.KERNEL32 ref: 000001FE8FAE5413

Part of subcall function 000001FE8FAEAB64: GetEnvironmentStringsW.KERNEL32 ref: 000001FE8FAEAB7D
Part of subcall function 000001FE8FAEAB64: WideCharToMultiByte.KERNEL32 ref: 000001FE8FAEABD4
Part of subcall function 000001FE8FAEAB64: WideCharToMultiByte.KERNEL32 ref: 000001FE8FAEAC0F
Part of subcall function 000001FE8FAEAB64: free.LIBCMT ref: 000001FE8FAEAC1C
Part of subcall function 000001FE8FAEAB64: FreeEnvironmentStringsW.KERNEL32 ref: 000001FE8FAEAC27

Part of subcall function 000001FE8FAEA424: GetStartupInfoW.KERNEL32 ref: 000001FE8FAEA445

__setargv.LIBCMT ref: 000001FE8FAE543C
_cinit.LIBCMT ref: 000001FE8FAE5450

Part of subcall function 000001FE8FAE6E44: FlsFree.KERNEL32 ref: 000001FE8FAE6E53
Part of subcall function 000001FE8FAE6E44: DeleteCriticalSection.KERNEL32 ref: 000001FE8FAEE8EB
Part of subcall function 000001FE8FAE6E44: free.LIBCMT ref: 000001FE8FAEE8F4
Part of subcall function 000001FE8FAE6E44: DeleteCriticalSection.KERNEL32 ref: 000001FE8FAEE91B

Part of subcall function 000001FE8FAEA6F8: free.LIBCMT ref: 000001FE8FAEA749

Part of subcall function 000001FE8FAE79CC: Sleep.KERNEL32 ref: 000001FE8FAE7A11

FlsSetValue.KERNEL32 ref: 000001FE8FAE54EA
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE54FE
free.LIBCMT ref: 000001FE8FAE550D

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentInfoInformationInitializeLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 2481119767-0
Opcode ID: fa810e96e6b49a81c5a3de3deb820a248b92c227eb375945ca1b424efe49a0c5
Instruction ID: d9117606c79373c043cbc2be301a0c937736e92856aeb6cfc51f392b099dc8a5
Opcode Fuzzy Hash: fa810e96e6b49a81c5a3de3deb820a248b92c227eb375945ca1b424efe49a0c5
Instruction Fuzzy Hash: 61316BB4610FC389FA647BB4A4723FD21DA9B653F1F2445F49B11C52F3EA2A88474622

Function 00007FF665B70970 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF665B709B8
WaitForSingleObject.KERNEL32 ref: 00007FF665B70A33
CloseHandle.KERNEL32 ref: 00007FF665B70A8C

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::wait: Thread wait failure, xrefs: 00007FF665B70A42
QThread::wait: Thread tried to wait on itself, xrefs: 00007FF665B709E4
default, xrefs: 00007FF665B709D8

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCurrentHandleInit_thread_footerObjectSingleThreadWait
String ID: QThread::wait: Thread tried to wait on itself$QThread::wait: Thread wait failure$default
API String ID: 3558220368-2839480340
Opcode ID: 5606b09bc6a5dc592dbef470d28760f875ccfb88470aa8651be09fd3ff341b3a
Instruction ID: fd3b3c08221b46820003e25844e0b2b1b6f57df2037d923d5cd075985dac745a
Opcode Fuzzy Hash: 5606b09bc6a5dc592dbef470d28760f875ccfb88470aa8651be09fd3ff341b3a
Instruction Fuzzy Hash: D641A722A18A46D5EB148B25D52236863B0FB89F74F185336DA6D8B2D1DF3DFC948700

Function 000001FE8FAE1280 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000001FE8FAE12C2
SetLastError.KERNEL32 ref: 000001FE8FAE12F0
GetLastError.KERNEL32 ref: 000001FE8FAE1325
WSAGetLastError.WS2_32 ref: 000001FE8FAE1364

Strings

<C-CNNID: %Iu> OnReceive() event return 'HR_ERROR', connection will be closed !, xrefs: 000001FE8FAE1319
<C-CNNID: %Iu> recv 0 bytes (detect package), xrefs: 000001FE8FAE1389

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$recv
String ID: <C-CNNID: %Iu> OnReceive() event return 'HR_ERROR', connection will be closed !$<C-CNNID: %Iu> recv 0 bytes (detect package)
API String ID: 316788870-281152440
Opcode ID: e006504f11bb0893ad072e5ecebb35c70b253aa6bceec88274e66d0847f92e8c
Instruction ID: 78b296377526e2e9562bc5c1cdf7bb97f582d44dd9671c0692bf0d8f3befc177
Opcode Fuzzy Hash: e006504f11bb0893ad072e5ecebb35c70b253aa6bceec88274e66d0847f92e8c
Instruction Fuzzy Hash: 70317372604A9282EBD0AF25D4947AD27E0F758BE8F145171DF09C77A8EB38C4868740

Function 000001FE8FAD3FE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000001FE8FAD3FEA
CoCreateInstance.OLE32 ref: 000001FE8FAD400E
SysFreeString.OLEAUT32 ref: 000001FE8FAD40D8
CoUninitialize.OLE32 ref: 000001FE8FAD4125

Strings

Network, xrefs: 000001FE8FAD3FE0
FriendlyName, xrefs: 000001FE8FAD40C0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName$Network
API String ID: 841178590-1437807293
Opcode ID: c51619dea522e0c55fc0899b43e0b55aa5e9855a9860aea8fcd38e191733d5da
Instruction ID: e9c5ad6de2b20fe82266fb4a3045e71557f8e361b334f4ea074eddc15ed4f41a
Opcode Fuzzy Hash: c51619dea522e0c55fc0899b43e0b55aa5e9855a9860aea8fcd38e191733d5da
Instruction Fuzzy Hash: 7F31ED36214A8682EB50EF35E4807AA67A0F7C4FD4F558162DB8E87B34DF39C54ACB40

Function 000001FE8FAD9EA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000001FE8FAD9EB0
GetFileAttributesW.KERNEL32 ref: 000001FE8FAD9F3A
GetLastError.KERNEL32 ref: 000001FE8FAD9F45
CreateProcessW.KERNEL32 ref: 000001FE8FAD9FAA

Strings

WinSta0\Default, xrefs: 000001FE8FAD9F60
h, xrefs: 000001FE8FAD9FA2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: c8e2f4124be8c9a6e4893f230f4c199dab45ef929636d0fe5c6bc72b415117a5
Instruction ID: 4a32be5cd62f904bb9e3f21131cb254a73f3375210ccd98b5a656f62a3cda4d8
Opcode Fuzzy Hash: c8e2f4124be8c9a6e4893f230f4c199dab45ef929636d0fe5c6bc72b415117a5
Instruction Fuzzy Hash: 28318431704AC282EA60FB25B5553FAA3D5E788BF0F544371AB5987BE9DF38C0568B00

Function 00007FF665B6F9E0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF665B70290: _Init_thread_footer.LIBCMT ref: 00007FF665B7030B
Part of subcall function 00007FF665B70290: TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665B5F780), ref: 00007FF665B7031C

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665B5F780), ref: 00007FF665B6FA07
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665B5F780), ref: 00007FF665B6FA53
GetCurrentThreadId.KERNEL32 ref: 00007FF665B6FA8A
GetCurrentProcess.KERNEL32 ref: 00007FF665B6FAB6
GetCurrentThread.KERNEL32 ref: 00007FF665B6FABF
GetCurrentProcess.KERNEL32 ref: 00007FF665B6FAC8
DuplicateHandle.KERNEL32 ref: 00007FF665B6FAF4

Part of subcall function 00007FF665B70350: GetCurrentThreadId.KERNEL32 ref: 00007FF665B70387
Part of subcall function 00007FF665B70350: CloseHandle.KERNEL32 ref: 00007FF665B70398

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Current$Thread$HandleProcessValue$AllocCloseDuplicateInit_thread_footer
String ID:
API String ID: 1145076070-0
Opcode ID: 408a2b34e50e2ba976580d2fae296fcd2328d94a12b92b755e17d9db50ea5d54
Instruction ID: 682116bd07024d957a7ccd2c15c64731ad6cd6ffae3081789320ef00f377ae50
Opcode Fuzzy Hash: 408a2b34e50e2ba976580d2fae296fcd2328d94a12b92b755e17d9db50ea5d54
Instruction Fuzzy Hash: 57311232919B46C6EB509B15E45522973B1FB49FA0F140239DA9E8BBD9DF3CF845C700

Function 000001FE8FAEF3E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAEF403
_errno.LIBCMT ref: 000001FE8FAEF40B

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 821f5293a29abbd7863e97bfbf14561feb01f87c9b858ffea3149c09338b6ff9
Instruction ID: 405c08f5698187b2c79e277f0b15093f519dc287c2f9a0bd543c7c9284a57925
Opcode Fuzzy Hash: 821f5293a29abbd7863e97bfbf14561feb01f87c9b858ffea3149c09338b6ff9
Instruction Fuzzy Hash: 8B219F327209C245E6157F65D8613FD76D1A7807F1F094AA5EB14073F2DAB894478760

Function 000001FE8FAE02E0 Relevance: 10.6, APIs: 7, Instructions: 67windowtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000001FE8FAE030E
timeGetTime.WINMM ref: 000001FE8FAE032B
MsgWaitForMultipleObjects.USER32 ref: 000001FE8FAE034B
PeekMessageW.USER32 ref: 000001FE8FAE036A
TranslateMessage.USER32 ref: 000001FE8FAE0379
DispatchMessageW.USER32 ref: 000001FE8FAE0384
PeekMessageW.USER32 ref: 000001FE8FAE039F

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: a6a614697040017534cd3b1d3e96cc5a4ea4528f5d59ece13cf00c21120499df
Instruction ID: 78911c635d907e08d3eaf636c9a584f0ad5eba584287fc721d42bc39be1d3df6
Opcode Fuzzy Hash: a6a614697040017534cd3b1d3e96cc5a4ea4528f5d59ece13cf00c21120499df
Instruction Fuzzy Hash: 7721B73132099387E7609B25F494FAA77D4F794BF4FA05261DB5943AA4DB38C446CB00

Function 00000001400087F0 Relevance: 10.6, APIs: 7, Instructions: 67windowtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000881E
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000883B
MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000885B
PeekMessageW.USER32 ref: 000000014000887A
TranslateMessage.USER32 ref: 0000000140008889
DispatchMessageW.USER32 ref: 0000000140008894
PeekMessageW.USER32 ref: 00000001400088AF

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: f519665c691364a73c8828fb6620903fabd3b4a25194a309f82e53ada5401924
Instruction ID: 305f93d56b7a1220d1d78e3cac75812468a422e5bfdccfe149107610b3fc70fd
Opcode Fuzzy Hash: f519665c691364a73c8828fb6620903fabd3b4a25194a309f82e53ada5401924
Instruction Fuzzy Hash: 0C21C472720A5086E771CB22F844F9A7690F79CBE4F905210FFA943AA4DF39C541DB00

Function 00000001400165CC Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400165EF
_errno.LIBCMT ref: 00000001400165F7

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9e58cec45201999caa6b05e1c173c810d3651be65d0d5fa34ce860b1680aea3c
Instruction ID: 85330d2fbe747711bc0543bb121a805448bc9ce1ab9dc1387ae2301fd706829a
Opcode Fuzzy Hash: 9e58cec45201999caa6b05e1c173c810d3651be65d0d5fa34ce860b1680aea3c
Instruction Fuzzy Hash: 9921F672610A8085FA17AF27AC513ED6A516788BF6F494B14BF340B3F2DB7988418750

Function 0000000140016E10 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140016E33
_errno.LIBCMT ref: 0000000140016E3B

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: d5af6d6ea47b26156d266239ed3f575210affa9fd4014044047a89da60058037
Instruction ID: 074fd15d959efa4ad16c962e7676329d42022f576fce894e2d30af173cc363af
Opcode Fuzzy Hash: d5af6d6ea47b26156d266239ed3f575210affa9fd4014044047a89da60058037
Instruction Fuzzy Hash: 4621F37231094049F717AF27EC513ED2A91A7887E6F094A04BF140B3F2DB798C418760

Function 000001FE8FAEEB9C Relevance: 10.6, APIs: 7, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAEEBBF
_errno.LIBCMT ref: 000001FE8FAEEBC7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 173280ab0a16f06b6be0f486b7fc90be9e63d45bf980aa7259864e1372d933b7
Instruction ID: 237ac229bd6be4199126948801346c10cc2ba1ee2faf9325665777f97d444034
Opcode Fuzzy Hash: 173280ab0a16f06b6be0f486b7fc90be9e63d45bf980aa7259864e1372d933b7
Instruction Fuzzy Hash: 5B21FF32660EC245E6157F14D8A53FD36D1A780BF1F0A4BA4AF380B3F2CA7894438360

Function 000001FE8FAF52A0 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF52B9
FlushFileBuffers.KERNEL32 ref: 000001FE8FAF531C
GetLastError.KERNEL32 ref: 000001FE8FAF5326
__doserrno.LIBCMT ref: 000001FE8FAF5336
_errno.LIBCMT ref: 000001FE8FAF533D

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: b93863f42654a4b52d6dd73c40ccdba5987062f1c3bd463329d4bbee9e2aa4a0
Instruction ID: 326da59b22fbf165f7f356265b4caf59501f44d794b773a68fc40691bdf2f72c
Opcode Fuzzy Hash: b93863f42654a4b52d6dd73c40ccdba5987062f1c3bd463329d4bbee9e2aa4a0
Instruction Fuzzy Hash: 7421A4316206C24AE6157F68E8A53FD26D1EB807F0F1807B8A7150F3F2DBA994438314

Function 0000000140019A28 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140019A41
FlushFileBuffers.KERNEL32(?,00000000,00000000,000000014001798A,?,?,00000001,0000000140017A33,?,?,?,?,?,0000000140010D7D), ref: 0000000140019AA4
GetLastError.KERNEL32(?,00000000,00000000,000000014001798A,?,?,00000001,0000000140017A33,?,?,?,?,?,0000000140010D7D), ref: 0000000140019AAE
__doserrno.LIBCMT ref: 0000000140019ABE
_errno.LIBCMT ref: 0000000140019AC5

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: 2ecf625846f26760fb3b770c7eafe84ed63da7017f414341403592f9161424be
Instruction ID: c0a63ad0c55b3da5e9af5dde1c358875cc7bc34a67578c423fdc925ba2ea7be4
Opcode Fuzzy Hash: 2ecf625846f26760fb3b770c7eafe84ed63da7017f414341403592f9161424be
Instruction Fuzzy Hash: 3F21D531704A4085F7176FABA8913EE2690AF887D1F590518B7190F3FADA79C845C391

Function 000001FE8FADC070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000001FE8FADC09F
GetWindowTextW.USER32 ref: 000001FE8FADC0BC
lstrlenW.KERNEL32 ref: 000001FE8FADC0F6
GetLocalTime.KERNEL32 ref: 000001FE8FADC105
wsprintfW.USER32 ref: 000001FE8FADC155

Part of subcall function 000001FE8FADBFB0: WaitForSingleObject.KERNEL32 ref: 000001FE8FADBFC7
Part of subcall function 000001FE8FADBFB0: CreateFileW.KERNEL32 ref: 000001FE8FADBFF9
Part of subcall function 000001FE8FADBFB0: SetFilePointer.KERNEL32 ref: 000001FE8FADC018
Part of subcall function 000001FE8FADBFB0: lstrlenW.KERNEL32 ref: 000001FE8FADC021
Part of subcall function 000001FE8FADBFB0: WriteFile.KERNEL32 ref: 000001FE8FADC03F
Part of subcall function 000001FE8FADBFB0: CloseHandle.KERNEL32 ref: 000001FE8FADC048
Part of subcall function 000001FE8FADBFB0: ReleaseMutex.KERNEL32 ref: 000001FE8FADC055

Strings

[, xrefs: 000001FE8FADC14E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: File$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 3163932117-4056885943
Opcode ID: 73e49f8ca6e268b064f541a2adff590462e5e9fe521d7392cec81c559873f1d1
Instruction ID: 84cfe99c4af0d35cb3cfc2eb0fddbd1e7c88438dade533f80094b9df21b2df78
Opcode Fuzzy Hash: 73e49f8ca6e268b064f541a2adff590462e5e9fe521d7392cec81c559873f1d1
Instruction Fuzzy Hash: 32310E71218A8682E750FF52E8503B6B7E1F7C47D0F504126AA8986AB5DF3CC55ACB40

Function 000001FE8FAEE958 Relevance: 10.6, APIs: 7, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000001FE8FAEE97F

Part of subcall function 000001FE8FAE7DEC: _set_error_mode.LIBCMT ref: 000001FE8FAE7DF5
Part of subcall function 000001FE8FAE7DEC: _set_error_mode.LIBCMT ref: 000001FE8FAE7E04

Part of subcall function 000001FE8FAE7B8C: _set_error_mode.LIBCMT ref: 000001FE8FAE7BD1
Part of subcall function 000001FE8FAE7B8C: _set_error_mode.LIBCMT ref: 000001FE8FAE7BE2
Part of subcall function 000001FE8FAE7B8C: GetModuleFileNameW.KERNEL32 ref: 000001FE8FAE7C44

Part of subcall function 000001FE8FAE794C: malloc.LIBCMT ref: 000001FE8FAE7977
Part of subcall function 000001FE8FAE794C: Sleep.KERNEL32 ref: 000001FE8FAE798A

_errno.LIBCMT ref: 000001FE8FAEE9C1
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001FE8FAEE9EB
free.LIBCMT ref: 000001FE8FAEE9F8
_errno.LIBCMT ref: 000001FE8FAEE9FD
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAEEA20

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountFileInitializeLeaveModuleNameSleepSpinfreemalloc
String ID:
API String ID: 3619412461-0
Opcode ID: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction ID: db019868a839225fa6c322e36390a704d2403c6407659659a3a0dbdcf2f17a87
Opcode Fuzzy Hash: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction Fuzzy Hash: 2C218E34720AC282F660BB50E8A43FA62E4F7847F0F0545B4A746576E2CF78C8428321

Function 000001FE8FAF5E90 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAF5EA9
_errno.LIBCMT ref: 000001FE8FAF5EB1
_close_nolock.LIBCMT ref: 000001FE8FAF5F08

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 39692bd83cbc8bad7885e4b5d4687ea0fb49e434dd73b264a51106f0543e9273
Instruction ID: 3bd5a95e766387fb336d127c0c95975dcd2f35e8955c35e82fa6c97816506b8e
Opcode Fuzzy Hash: 39692bd83cbc8bad7885e4b5d4687ea0fb49e434dd73b264a51106f0543e9273
Instruction Fuzzy Hash: DF117F32A146C64AE6257F25E8A53FD36D1E7807F1F154AB4A7260B3F3DAB984438720

Function 000001FE8FAEFC64 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAEFC88
_errno.LIBCMT ref: 000001FE8FAEFCA1
write_char.LIBCMT ref: 000001FE8FAEFCB7
_errno.LIBCMT ref: 000001FE8FAEFCC5
write_char.LIBCMT ref: 000001FE8FAEFCDA
_errno.LIBCMT ref: 000001FE8FAEFCE3
_errno.LIBCMT ref: 000001FE8FAEFCED

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction ID: a14c74bd7298baa82d0e20fea488abd5e144e3651b4f0937fa9c038dca41bd6a
Opcode Fuzzy Hash: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction Fuzzy Hash: E5117932940EC286E7207F22E4203B976E4F394BE4F2844A6DF45077A2DB39DA82C741

Function 000001FE8FAE8A58 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAE8A7C
_errno.LIBCMT ref: 000001FE8FAE8A95
write_char.LIBCMT ref: 000001FE8FAE8AAA
_errno.LIBCMT ref: 000001FE8FAE8AB7
write_char.LIBCMT ref: 000001FE8FAE8AC9
_errno.LIBCMT ref: 000001FE8FAE8AD2
_errno.LIBCMT ref: 000001FE8FAE8ADC

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction ID: bc193182b14a32cfd5c6e75e5b7feca31f472f4c769d7f28a11b518eb23faafc
Opcode Fuzzy Hash: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction Fuzzy Hash: E4119032625FC286E2607F62D4213E937E4F384BE0FA944A1DB54073E6DB38D9828741

Function 0000000140010138 Relevance: 10.6, APIs: 7, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001015C
_errno.LIBCMT ref: 0000000140010175
write_char.LIBCMT ref: 000000014001018A
_errno.LIBCMT ref: 0000000140010197
write_char.LIBCMT ref: 00000001400101A9
_errno.LIBCMT ref: 00000001400101B2
_errno.LIBCMT ref: 00000001400101BC

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 082a03db74af1cf9bbd80cb42017acae4577966a07e222237cdd526c5155514a
Instruction ID: 52d97dd7007143bc4c3090bb3bf655117025ccd3f1fcc51e3636d6a506fd4299
Opcode Fuzzy Hash: 082a03db74af1cf9bbd80cb42017acae4577966a07e222237cdd526c5155514a
Instruction Fuzzy Hash: CB118C73510BD09AF722AB63A8003D936A0F39CBD4F188410FB940B7E6DBBDC8818741

Function 00007FF665C3AFCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF665C3AFFD
GetLastError.KERNEL32 ref: 00007FF665C3B009
CloseHandle.KERNEL32 ref: 00007FF665C3B021
CreateFileW.KERNEL32 ref: 00007FF665C3B04C
WriteConsoleW.KERNEL32 ref: 00007FF665C3B06B

Strings

CONOUT$, xrefs: 00007FF665C3B02D

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 6c706e776ac81385c870dcad09bcf9c717d9a6faa38eacb18e293ef4a9f07b38
Instruction ID: 6e09cfa8d950c9bbd6620f41120edc1906cf0ec4927ae5ecd3582abc08916276
Opcode Fuzzy Hash: 6c706e776ac81385c870dcad09bcf9c717d9a6faa38eacb18e293ef4a9f07b38
Instruction Fuzzy Hash: 83117F22B18E42C6E7509B16E85672966B0FB88FE9F040238DA5ECB798CF3CDD44C744

Function 000001FE8FAD4E80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000001FE8FAD4EAB
GetCommandLineW.KERNEL32 ref: 000001FE8FAD4EB1
GetStartupInfoW.KERNEL32 ref: 000001FE8FAD4EBF
CreateProcessW.KERNEL32 ref: 000001FE8FAD4F02
ExitProcess.KERNEL32 ref: 000001FE8FAD4F0B

Strings

, xrefs: 000001FE8FAD4EF6

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: 2d2fce262e285fa9fa2810391d16c93d7bb5af68b546423bde804a28fab8f9c8
Instruction ID: c983f394c5f1e3d718021007a8ed6e0ab179daa0d06a8c34500e0bca455e32cb
Opcode Fuzzy Hash: 2d2fce262e285fa9fa2810391d16c93d7bb5af68b546423bde804a28fab8f9c8
Instruction Fuzzy Hash: BF012C32614BC686DB609B24F85479AB7E0F7847D0F600225E78A47B78DF3CC14ACB00

Function 000001FE8FADBFB0 Relevance: 10.5, APIs: 7, Instructions: 38filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000001FE8FADBFC7
CreateFileW.KERNEL32 ref: 000001FE8FADBFF9
SetFilePointer.KERNEL32 ref: 000001FE8FADC018
lstrlenW.KERNEL32 ref: 000001FE8FADC021
WriteFile.KERNEL32 ref: 000001FE8FADC03F
CloseHandle.KERNEL32 ref: 000001FE8FADC048
ReleaseMutex.KERNEL32 ref: 000001FE8FADC055

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: e6c73dd4b36f160f1a62fbf4a0c0e9ac1c0c35662008cd925dc09f0461ab862e
Instruction ID: bf0ceee8b68c13c0be624537bfe390abd0dac3eddc6d5cca93c4fca63a634a49
Opcode Fuzzy Hash: e6c73dd4b36f160f1a62fbf4a0c0e9ac1c0c35662008cd925dc09f0461ab862e
Instruction Fuzzy Hash: A7111231214AC682E750AF51F814BAA77A0F788BE5F544220DB5A47B74CF7CC54ACB00

Function 000001FE8FAEB0B8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAEB0D7

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

Part of subcall function 000001FE8FAEC2B4: _getptd.LIBCMT ref: 000001FE8FAEC2B8

_getptd.LIBCMT ref: 000001FE8FAEB0E9
_getptd.LIBCMT ref: 000001FE8FAEB0F7

Strings

RCC, xrefs: 000001FE8FAEB0BF
MOC, xrefs: 000001FE8FAEB0C7
csm, xrefs: 000001FE8FAEB0CF

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction ID: 0009083a8ee5226ce785d57f40fd3257dfe9c6ab3fc7de46ff2f8f2fbd958937
Opcode Fuzzy Hash: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction Fuzzy Hash: EAF09B35510586C5EB153B50806A3FC31D4FB947F9F85D5F58360423E2C7FC54828A62

Function 00007FF665BB05B0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25D0
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25E7
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB25FE
Part of subcall function 00007FF665BB2530: GetProcAddress.KERNEL32 ref: 00007FF665BB2615
Part of subcall function 00007FF665BB2530: GetCurrentProcess.KERNEL32 ref: 00007FF665BB2630
Part of subcall function 00007FF665BB2530: OpenProcessToken.ADVAPI32 ref: 00007FF665BB265C
Part of subcall function 00007FF665BB2530: GetTokenInformation.ADVAPI32 ref: 00007FF665BB2688
Part of subcall function 00007FF665BB2530: GetTokenInformation.ADVAPI32 ref: 00007FF665BB26BC
Part of subcall function 00007FF665BB2530: GetLengthSid.ADVAPI32 ref: 00007FF665BB26CC
Part of subcall function 00007FF665BB2530: CopySid.ADVAPI32 ref: 00007FF665BB26EA

LocalFree.KERNEL32 ref: 00007FF665BB07E0

Strings

.com, xrefs: 00007FF665BB08D3
.exe, xrefs: 00007FF665BB089F
.bat, xrefs: 00007FF665BB0907
.cmd, xrefs: 00007FF665BB0967
.pif, xrefs: 00007FF665BB0937

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Token$InformationProcess$CopyCurrentFreeLengthLocalOpen
String ID: .bat$.cmd$.com$.exe$.pif
API String ID: 3463338316-2292669753
Opcode ID: a4ee9e539fb5e06da0ce4f5bc97e58f13e50c77d53f1c576658f6c62b7bba354
Instruction ID: 4b4270117d2e3ae54697b916b64a818f83ccd118d3723e1f95df864c00396e95
Opcode Fuzzy Hash: a4ee9e539fb5e06da0ce4f5bc97e58f13e50c77d53f1c576658f6c62b7bba354
Instruction Fuzzy Hash: 3BF18F72A09746CAF7109F24D9962BDB7B0EB49B58F048130DA49CB6E8DF7CE945CB40

Function 000000014001598C Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001400159AB

Part of subcall function 000000014000E7A0: _amsg_exit.LIBCMT ref: 000000014000E7B6

Part of subcall function 00000001400155C8: _getptd.LIBCMT ref: 00000001400155D2
Part of subcall function 00000001400155C8: _amsg_exit.LIBCMT ref: 000000014001566F

Part of subcall function 0000000140015684: GetOEMCP.KERNEL32 ref: 00000001400156AE

Part of subcall function 000000014000F14C: malloc.LIBCMT ref: 000000014000F177
Part of subcall function 000000014000F14C: Sleep.KERNEL32(?,?,?,00000001400163E9,?,?,?,0000000140016493), ref: 000000014000F18A

free.LIBCMT ref: 0000000140015A36

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

_lock.LIBCMT ref: 0000000140015A66
free.LIBCMT ref: 0000000140015B09
free.LIBCMT ref: 0000000140015B35
_errno.LIBCMT ref: 0000000140015B3A

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleep_lockmalloc
String ID:
API String ID: 2578750445-0
Opcode ID: e138ac5090ec4416d4897549da0a5f525d7f7cb45f4804d148dbd1b226c4d310
Instruction ID: 0e591f92b744082badca280c7c83663daab847f02ee4b8a2c4c949a31bcc18c2
Opcode Fuzzy Hash: e138ac5090ec4416d4897549da0a5f525d7f7cb45f4804d148dbd1b226c4d310
Instruction Fuzzy Hash: 0751A17620564086E762AB22E4803EDB7A1F788BD9F544116FB5A4F3F6CB39C842C751

Function 00007FF665B70350 Relevance: 9.1, APIs: 6, Instructions: 104threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF665B70387
CloseHandle.KERNEL32 ref: 00007FF665B70398
CreateEventW.KERNEL32 ref: 00007FF665B70482
CreateThread.KERNEL32 ref: 00007FF665B704C4
CloseHandle.KERNEL32 ref: 00007FF665B704CD

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCreateHandleThread$CurrentEvent
String ID:
API String ID: 1633135894-0
Opcode ID: 9c8cad1299e0c9272d8f2c6ec9908b311088d7a55ff6301e464786220b0a3468
Instruction ID: 213e82a22bd89a2e9f597797790ea7c4041c9e08151c8bc4ba3de22188e4da00
Opcode Fuzzy Hash: 9c8cad1299e0c9272d8f2c6ec9908b311088d7a55ff6301e464786220b0a3468
Instruction Fuzzy Hash: 3051B272E18A82C5EB249B01E8666787372FB99F51F455236C51E8B6E4CF3DEC81C700

Function 000001FE8FAE7778 Relevance: 9.1, APIs: 6, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001FE8FAE77D4
DecodePointer.KERNEL32 ref: 000001FE8FAE77F2
DecodePointer.KERNEL32 ref: 000001FE8FAE7832
DecodePointer.KERNEL32 ref: 000001FE8FAE784C
DecodePointer.KERNEL32 ref: 000001FE8FAE785C
ExitProcess.KERNEL32 ref: 000001FE8FAE78E8

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointer$ExitProcess
String ID:
API String ID: 1284615037-0
Opcode ID: 95cc4c190d7943855aadbb998e58200c754987734139fa49f6c9bfbe4b09495d
Instruction ID: 8bf4ea44ab5c67754fc2841c874a7593994590936d550a6873d21e76407201d3
Opcode Fuzzy Hash: 95cc4c190d7943855aadbb998e58200c754987734139fa49f6c9bfbe4b09495d
Instruction Fuzzy Hash: 26414831212AC281EA50BF11EC903B966E8F798BE4F5405B59B9D47BB5EF38C493C701

Function 000001FE8FADE7A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001FE8FADE7D5
malloc.LIBCMT ref: 000001FE8FADE841

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

free.LIBCMT ref: 000001FE8FADE86A

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

Strings

d, xrefs: 000001FE8FADE8E1
d, xrefs: 000001FE8FADE914
d, xrefs: 000001FE8FADE8EB

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocFree_callnewhfree
String ID: d$d$d
API String ID: 4257515785-1898527202
Opcode ID: 5ac4ee45e769e9299644d6e5f03c679bef95057c7f94c81e09fa81b34d444265
Instruction ID: dc539c7218604c8467400093890ddcbbf3e5332f42643b797682f6eae7018db0
Opcode Fuzzy Hash: 5ac4ee45e769e9299644d6e5f03c679bef95057c7f94c81e09fa81b34d444265
Instruction Fuzzy Hash: DF413932111B91C5E791AF21E4403AD3BE8F348F98F49823ADB88477A8EF74C455CB60

Function 0000000140006CB0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000000140006CE5
malloc.LIBCMT ref: 0000000140006D51

Part of subcall function 000000014000CC4C: _FF_MSGBANNER.LIBCMT ref: 000000014000CC7C
Part of subcall function 000000014000CC4C: HeapAlloc.KERNEL32(?,?,00000000,000000014000F17C,?,?,?,00000001400163E9,?,?,?,0000000140016493), ref: 000000014000CCA1
Part of subcall function 000000014000CC4C: _callnewh.LIBCMT ref: 000000014000CCBA
Part of subcall function 000000014000CC4C: _errno.LIBCMT ref: 000000014000CCC5
Part of subcall function 000000014000CC4C: _errno.LIBCMT ref: 000000014000CCD0

free.LIBCMT ref: 0000000140006D7A

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

Strings

d, xrefs: 0000000140006DFB
d, xrefs: 0000000140006DF1
d, xrefs: 0000000140006E24

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocFree_callnewhfree
String ID: d$d$d
API String ID: 4257515785-1898527202
Opcode ID: 139d26f97f34ddb1c5a07088b983959269428ee9dd4b95dd2124b1124372c8c0
Instruction ID: d29088961ef00acf912362f415a2a07d24d89ebe10ac030ae935663d51a80c72
Opcode Fuzzy Hash: 139d26f97f34ddb1c5a07088b983959269428ee9dd4b95dd2124b1124372c8c0
Instruction Fuzzy Hash: 35410872511B90C5E741CF26E44039D3BA9F748F88F59813AEB88577A8EF79C454CB50

Function 000001FE8FADE4D0 Relevance: 9.1, APIs: 6, Instructions: 86networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 000001FE8FADE55F
free.LIBCMT ref: 000001FE8FADE576

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

WSASetLastError.WS2_32 ref: 000001FE8FADE581
freeaddrinfo.WS2_32 ref: 000001FE8FADE5C8
htons.WS2_32 ref: 000001FE8FADE5D5
WSASetLastError.WS2_32 ref: 000001FE8FADE5E6

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$FreeHeap_errnofreefreeaddrinfogetaddrinfohtons
String ID:
API String ID: 443883550-0
Opcode ID: fda43265b886c102daf43b2b617a422d89d82c2805bd548c61f079e8a940deb0
Instruction ID: 6667aff9388ba7ff7c131cfc79d8997402f468c34f0d43de4b8e6d3e627d1a7d
Opcode Fuzzy Hash: fda43265b886c102daf43b2b617a422d89d82c2805bd548c61f079e8a940deb0
Instruction Fuzzy Hash: 94319F72204B8682EA61AF11E4903FA73E5F788BD4F044671DB8E47764EF38C546CB40

Function 00000001400069E0 Relevance: 9.1, APIs: 6, Instructions: 86networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0000000140006A6F
free.LIBCMT ref: 0000000140006A86

Part of subcall function 000000014000CDD8: RtlFreeHeap.NTDLL(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

WSASetLastError.WS2_32 ref: 0000000140006A91
freeaddrinfo.WS2_32 ref: 0000000140006AD8
htons.WS2_32 ref: 0000000140006AE5
WSASetLastError.WS2_32 ref: 0000000140006AF6

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$FreeHeap_errnofreefreeaddrinfogetaddrinfohtons
String ID:
API String ID: 443883550-0
Opcode ID: 00ece6ab9261076df4cc1799edf66469b6af6a1b3b7ff64bccd036ea6a0b3bd2
Instruction ID: e1613d0920d85c40ef77f3643be714907899ebaa00d759c67aefd3a584b55e4e
Opcode Fuzzy Hash: 00ece6ab9261076df4cc1799edf66469b6af6a1b3b7ff64bccd036ea6a0b3bd2
Instruction Fuzzy Hash: 01314DB2304A4586EA26DB67A4403AA73A2FB8DB84F048126FB8D577A4DE38C555CB41

Function 000001FE8FAD2080 Relevance: 9.1, APIs: 6, Instructions: 76synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 000001FE8FAD209F
ResetEvent.KERNEL32 ref: 000001FE8FAD20AC
timeGetTime.WINMM ref: 000001FE8FAD20B2
WaitForSingleObject.KERNEL32 ref: 000001FE8FAD213F
ResetEvent.KERNEL32 ref: 000001FE8FAD215C
ResetEvent.KERNEL32 ref: 000001FE8FAD2170

Part of subcall function 000001FE8FAE3FEC: _errno.LIBCMT ref: 000001FE8FAE4017
Part of subcall function 000001FE8FAE3FEC: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE4022

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: EventReset$ObjectSingleTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2413556668-0
Opcode ID: 58d5c98b484be63242f2a745b5d15b4acce531cbd3b6e134beeab50c125b9f3c
Instruction ID: b131b14fc6332b8e9dc853b91f74492a8fbf94d1d957a30cf4b2f8ed933273ed
Opcode Fuzzy Hash: 58d5c98b484be63242f2a745b5d15b4acce531cbd3b6e134beeab50c125b9f3c
Instruction Fuzzy Hash: 3731E936204A8186DB50AF25E4543A977E4FB89FA9F588671EF8D8B364CF38C446D710

Function 00000001400020A0 Relevance: 9.1, APIs: 6, Instructions: 76synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00000001400020BF
ResetEvent.KERNEL32 ref: 00000001400020CC
timeGetTime.WINMM ref: 00000001400020D2
WaitForSingleObject.KERNEL32 ref: 000000014000215F
ResetEvent.KERNEL32 ref: 000000014000217C
ResetEvent.KERNEL32 ref: 0000000140002190

Part of subcall function 000000014000C4D8: _errno.LIBCMT ref: 000000014000C503
Part of subcall function 000000014000C4D8: _invalid_parameter_noinfo.LIBCMT ref: 000000014000C50E

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: EventReset$ObjectSingleTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2413556668-0
Opcode ID: 09b971a88ccd1b78b33bbcbee9b1c9d3543779880420764c2a79a4a22bbaeadb
Instruction ID: 1364dac6d496d361330617d9c03f8f88c0092d4945388265d16f681336e5f9e4
Opcode Fuzzy Hash: 09b971a88ccd1b78b33bbcbee9b1c9d3543779880420764c2a79a4a22bbaeadb
Instruction Fuzzy Hash: C431E236204A8096DB52DF2AE8443AD73A0FB89B98F584522EF8E8B365CF39C445D710

Function 000001FE8FAEAB64 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000001FE8FAEAB7D
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAEABD4
WideCharToMultiByte.KERNEL32 ref: 000001FE8FAEAC0F
free.LIBCMT ref: 000001FE8FAEAC1C
FreeEnvironmentStringsW.KERNEL32 ref: 000001FE8FAEAC27
FreeEnvironmentStringsW.KERNEL32 ref: 000001FE8FAEAC35

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 84a5488434b8dac386b9b2b17d419ada68844002088eb87c8cee20c73c3e860a
Instruction ID: beddb2d6ecef8b541714e523d9e7d01c79d459e3aaa1224670de334b3626ce05
Opcode Fuzzy Hash: 84a5488434b8dac386b9b2b17d419ada68844002088eb87c8cee20c73c3e860a
Instruction Fuzzy Hash: F5215132605BC586EB64AF21A4506AA77E5F788FE1F484174EF8A07764EF38C452C704

Function 000001FE8FADD990 Relevance: 9.1, APIs: 6, Instructions: 67synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000001FE8FADD9DD
SetLastError.KERNEL32 ref: 000001FE8FADD9EC
DeleteCriticalSection.KERNEL32 ref: 000001FE8FADDA16
DeleteCriticalSection.KERNEL32 ref: 000001FE8FADDA21
CloseHandle.KERNEL32 ref: 000001FE8FADDA36
free.LIBCMT ref: 000001FE8FADDA5E

Part of subcall function 000001FE8FAE1710: GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE171D

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$CloseCurrentErrorHandleLastObjectSingleThreadWaitfree
String ID:
API String ID: 3850363221-0
Opcode ID: 62b29d53877b0602228696265d4c3e16b8dba605d7c938668be82d41532a3494
Instruction ID: 5980006ded8fd526fbb6dd57df24641f86f0b1c86cdfc44ef9cde6ae2f375159
Opcode Fuzzy Hash: 62b29d53877b0602228696265d4c3e16b8dba605d7c938668be82d41532a3494
Instruction Fuzzy Hash: 41312732201BC2A6EB09BB64E8946A973A4FB857B0F540775D769876B5DF38C866C300

Function 0000000140005EA0 Relevance: 9.1, APIs: 6, Instructions: 67synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140005EED
SetLastError.KERNEL32 ref: 0000000140005EFC
DeleteCriticalSection.KERNEL32 ref: 0000000140005F26
DeleteCriticalSection.KERNEL32 ref: 0000000140005F31
CloseHandle.KERNEL32 ref: 0000000140005F46
free.LIBCMT ref: 0000000140005F6E

Part of subcall function 0000000140009C20: GetCurrentThreadId.KERNEL32 ref: 0000000140009C2D

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$CloseCurrentErrorHandleLastObjectSingleThreadWaitfree
String ID:
API String ID: 3850363221-0
Opcode ID: 7ba8627e587de6b2ba61bc9eb102c82484e8b1aae736127abcd4623862191482
Instruction ID: 67a5c3439ddd4552bc3a77a1c279a0a7cdb83c7ad9308d4ebcabeb83fd366356
Opcode Fuzzy Hash: 7ba8627e587de6b2ba61bc9eb102c82484e8b1aae736127abcd4623862191482
Instruction Fuzzy Hash: 33317A36205B8092EB06EB66F8843A973A4FB897A1F540625E76D472F1DF78C864C300

Function 000001FE8FAE6F24 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001FE8FAE6F2E
FlsGetValue.KERNEL32 ref: 000001FE8FAE6F3C
SetLastError.KERNEL32 ref: 000001FE8FAE6F94

Part of subcall function 000001FE8FAE79CC: Sleep.KERNEL32 ref: 000001FE8FAE7A11

FlsSetValue.KERNEL32 ref: 000001FE8FAE6F68
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE6F7C
free.LIBCMT ref: 000001FE8FAE6F8B

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastValue$CurrentSleepThreadfree
String ID:
API String ID: 4106700288-0
Opcode ID: 57c3c7dc90d119b9a0a8397eb99df9ec0dc69960eb39fbd81eb1c175a554dc43
Instruction ID: 28c17e85f8d9f492ec0527619b4a22b62c7b696fee3c585e1ab80d48ff0bdc27
Opcode Fuzzy Hash: 57c3c7dc90d119b9a0a8397eb99df9ec0dc69960eb39fbd81eb1c175a554dc43
Instruction Fuzzy Hash: BE017134211BC386EB14BB65E4646F863D5AB88BF0F588674DB26063F1EE3CE4068210

Function 000001FE8FAEB960 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAEB991

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

_getptd.LIBCMT ref: 000001FE8FAEB9AF
_CallSETranslator.LIBCMT ref: 000001FE8FAEB9F7

Part of subcall function 000001FE8FAE5B7C: _getptd.LIBCMT ref: 000001FE8FAE5BA3

Strings

MOC, xrefs: 000001FE8FAEB9C5
RCC, xrefs: 000001FE8FAEB9CD

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: 471e037796de8d08be6d3bded12a618713ec4ce7d55a937e88732922ae4a25f6
Instruction ID: be80841abc372460f8c2b024911053a48a13620d96e3b791ca6425a699478734
Opcode Fuzzy Hash: 471e037796de8d08be6d3bded12a618713ec4ce7d55a937e88732922ae4a25f6
Instruction Fuzzy Hash: 2D617072614EC28ADE20EB15E0A43FDB3A0FB84BE8F444575DB9A477A9DB78C552C700

Function 000001FE8FADE950 Relevance: 8.9, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000001FE8FADE9BF
free.LIBCMT ref: 000001FE8FADEA0F
free.LIBCMT ref: 000001FE8FADEA5F
free.LIBCMT ref: 000001FE8FADEAAF
free.LIBCMT ref: 000001FE8FADEADA
free.LIBCMT ref: 000001FE8FADEAFB
free.LIBCMT ref: 000001FE8FADEB39

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ccd28d9b9f54d451765389d19c9094d133687f5c0172ac4b6804d316aded8f02
Instruction ID: 56e572cb250ff0c837694ffad19a3d148e91fe88eb762acb76f6e6a7d1d770fa
Opcode Fuzzy Hash: ccd28d9b9f54d451765389d19c9094d133687f5c0172ac4b6804d316aded8f02
Instruction Fuzzy Hash: F7511636212F8685EAA5AF19E5903BCB3A4F748FD4F589561CB8D17364DF78D8A2C300

Function 0000000140006E60 Relevance: 8.9, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140006ECF
free.LIBCMT ref: 0000000140006F1F
free.LIBCMT ref: 0000000140006F6F
free.LIBCMT ref: 0000000140006FBF
free.LIBCMT ref: 0000000140006FEA
free.LIBCMT ref: 000000014000700B
free.LIBCMT ref: 0000000140007049

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0aac6f5110e6aeb601139c822595bec6a4ddb6e548ab8dd50ca83694b2f49f67
Instruction ID: 3e660e62738f3ee9a5dfa17730c970adb7624ae7e4a7d26a5058a80d1f6bedcf
Opcode Fuzzy Hash: 0aac6f5110e6aeb601139c822595bec6a4ddb6e548ab8dd50ca83694b2f49f67
Instruction Fuzzy Hash: 7451E5B6202B84C5DA56DF2AF5503A973A6FB1CBC0F589126EB4D13364DF38D8A1C310

Function 000001FE8FAF2CFC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAEF788: _errno.LIBCMT ref: 000001FE8FAEF791
Part of subcall function 000001FE8FAEF788: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEF79C

_errno.LIBCMT ref: 000001FE8FAF2D27
_errno.LIBCMT ref: 000001FE8FAF2D45
_isatty.LIBCMT ref: 000001FE8FAF2DA6
_getbuf.LIBCMT ref: 000001FE8FAF2DB2

Strings

, xrefs: 000001FE8FAF2D32

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-3916222277
Opcode ID: 7b09e1906ab3bdf61c4e12b63eeb87704bb182e1eae830b71b365cf9be8a9ed8
Instruction ID: b6c8cfbbc216d04a52d7f137254639499b6bf9cb02d52035fa3b20d7afe03384
Opcode Fuzzy Hash: 7b09e1906ab3bdf61c4e12b63eeb87704bb182e1eae830b71b365cf9be8a9ed8
Instruction Fuzzy Hash: 7C418072600A8285EB28AF29E4513BD36D0E794BF4F244375DB654B3F5DA34C853C7A0

Function 000001FE8FAF2738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF27A9
_errno.LIBCMT ref: 000001FE8FAF27B7
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF27C3
_errno.LIBCMT ref: 000001FE8FAF27E9

Strings

P, xrefs: 000001FE8FAF27F8

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: P
API String ID: 2819658684-3110715001
Opcode ID: fe5746ab5c6c9aa6f367b9778bf255be9a480a7c147ea7114c03037db45542f8
Instruction ID: baeefaf5d818ad1c244464c944f92a19604fcc87de566f771405c8828e4456c0
Opcode Fuzzy Hash: fe5746ab5c6c9aa6f367b9778bf255be9a480a7c147ea7114c03037db45542f8
Instruction Fuzzy Hash: 8F2124312057C281FA51BA51A6103F9B2E4EB56BF0F0847B09F740FBFAD678C8428760

Function 0000000140018A78 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140018AE9
_errno.LIBCMT ref: 0000000140018AF7
_invalid_parameter_noinfo.LIBCMT ref: 0000000140018B03
_errno.LIBCMT ref: 0000000140018B29

Strings

P, xrefs: 0000000140018B38

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: P
API String ID: 2819658684-3110715001
Opcode ID: 0230ee96ae0ff30fdb3c69ccc9da7842eeea73fbececacfcfb5d99c022919653
Instruction ID: 9616486910279e0854492c662b486f7afc1de014b20fbd43661b6f412423302b
Opcode Fuzzy Hash: 0230ee96ae0ff30fdb3c69ccc9da7842eeea73fbececacfcfb5d99c022919653
Instruction Fuzzy Hash: 522127B1209BC042FA778A5799503D9A290BB5C7F0F484621BF751FBE6E77AC941C301

Function 00007FF665B72940 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF665B72961
SetWindowsHookExW.USER32 ref: 00007FF665B72978
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF665B71B41), ref: 00007FF665B7298E

Part of subcall function 00007FF665B49F50: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B49F89
Part of subcall function 00007FF665B49F50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B49FE7
Part of subcall function 00007FF665B49F50: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF665B4A03E

Strings

Qt: INTERNAL ERROR: failed to install GetMessage hook: %d, %s, xrefs: 00007FF665B729DB
default, xrefs: 00007FF665B729CC

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$CurrentFormatFreeHookLocalMessageThreadWindows
String ID: Qt: INTERNAL ERROR: failed to install GetMessage hook: %d, %s$default
API String ID: 2698278626-1575284884
Opcode ID: 029406882346d2b61cdb6a24368e8540b4e24a0623796e7308a3d706647215fa
Instruction ID: 2ecfea56de4e64af60218afa83152e2f87af4c0b34225c89a2883d0299978229
Opcode Fuzzy Hash: 029406882346d2b61cdb6a24368e8540b4e24a0623796e7308a3d706647215fa
Instruction Fuzzy Hash: A2319532A05B42C6EB208B25E8926697370FB8AB64F544235D95DCB6A9EF3CEC45C700

Function 00007FF665BB2820 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00007FF665BB28CE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00007FF665BB28EA

Strings

Netapi32, xrefs: 00007FF665BB28B0
NetApiBufferFree, xrefs: 00007FF665BB28E0
NetShareEnum, xrefs: 00007FF665BB28C4

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc
String ID: NetApiBufferFree$NetShareEnum$Netapi32
API String ID: 190572456-1465082781
Opcode ID: 9bb911bc9721b275ddb24e47c19060044229378845a87b2b70f2b0579deb2b24
Instruction ID: 43d12fe6fa2850c9bac1b803aa29e5d59970c292522ae2969756b03a142bfcfb
Opcode Fuzzy Hash: 9bb911bc9721b275ddb24e47c19060044229378845a87b2b70f2b0579deb2b24
Instruction Fuzzy Hash: BA31DA21E1DB46C4FA669B14EC67379A2B1AF4AF64F581334D5ADCD2E1DF6CAC80C204

Function 000001FE8FAEB4D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000001FE8FAEB52C
_getptd.LIBCMT ref: 000001FE8FAEB4E1

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

_getptd.LIBCMT ref: 000001FE8FAEB5A3
_getptd.LIBCMT ref: 000001FE8FAEB5AF

Strings

csm, xrefs: 000001FE8FAEB563

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction ID: bb12e1cb4438aa05cba277faaef85fca26df44d33916c70893a54c1c33ff10c4
Opcode Fuzzy Hash: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction Fuzzy Hash: 3F314D36204A8286EA30EF11E0547EE73A4F7857F5F444275DFAA07BA2CB39D846CB10

Function 00007FF665C2DEF0 Relevance: 7.7, APIs: 5, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C2DF32
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF665C2DEAF,?,?,?,00007FF665C35656), ref: 00007FF665C2DFF0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF665C2DEAF,?,?,?,00007FF665C35656), ref: 00007FF665C2E07A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4ef2423508507acd93b22b965fa9d9501701fcc0e2be0087648db0337b251196
Instruction ID: 0db8cd25f705f546522f3ef445f571d4601ffd23a51d5c94551cf3021165909d
Opcode Fuzzy Hash: 4ef2423508507acd93b22b965fa9d9501701fcc0e2be0087648db0337b251196
Instruction Fuzzy Hash: 24819C33A18653C5FB509B65C8426B927B1BB54F84F446239DA0EAF796DF38AC42C310

Function 000001FE8FAE9CA0 Relevance: 7.6, APIs: 5, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAE9CBF

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

Part of subcall function 000001FE8FAE98DC: _getptd.LIBCMT ref: 000001FE8FAE98E6
Part of subcall function 000001FE8FAE98DC: _amsg_exit.LIBCMT ref: 000001FE8FAE9983

Part of subcall function 000001FE8FAE9998: GetOEMCP.KERNEL32 ref: 000001FE8FAE99C2

Part of subcall function 000001FE8FAE794C: malloc.LIBCMT ref: 000001FE8FAE7977
Part of subcall function 000001FE8FAE794C: Sleep.KERNEL32 ref: 000001FE8FAE798A

free.LIBCMT ref: 000001FE8FAE9D4A

Part of subcall function 000001FE8FAE4698: HeapFree.KERNEL32 ref: 000001FE8FAE46AE
Part of subcall function 000001FE8FAE4698: _errno.LIBCMT ref: 000001FE8FAE46B8

free.LIBCMT ref: 000001FE8FAE9E1D
free.LIBCMT ref: 000001FE8FAE9E49
_errno.LIBCMT ref: 000001FE8FAE9E4E

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleepmalloc
String ID:
API String ID: 3974019375-0
Opcode ID: 9d71ec3d00ad548f00efd10b57eac8e9f1b01416729eb742b15b8c3336629385
Instruction ID: 3e152dfcf77f2e7d48e6cfd6a38e6c1fe2af68ae92db77edaca1b645bbc96a93
Opcode Fuzzy Hash: 9d71ec3d00ad548f00efd10b57eac8e9f1b01416729eb742b15b8c3336629385
Instruction Fuzzy Hash: FA519B36600BC286E764BB65E4A03F977E5F788BE4F1441A6DB9A573B6CB78C4438300

Function 000000014000E160 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000000014000E17D

Part of subcall function 0000000140016FA4: _errno.LIBCMT ref: 0000000140016FAD
Part of subcall function 0000000140016FA4: _invalid_parameter_noinfo.LIBCMT ref: 0000000140016FB8

_errno.LIBCMT ref: 000000014000E18D
_errno.LIBCMT ref: 000000014000E1A9
_isatty.LIBCMT ref: 000000014000E20A
_getbuf.LIBCMT ref: 000000014000E216

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 358c0b6ca0646f531c2cf5f9b0775408b047eeeca838f4ff74856cac89f43e4e
Instruction ID: bc7cf165727bea5250688e8ad9c41d632b8f27d5c6250d5af5f72457c52bc469
Opcode Fuzzy Hash: 358c0b6ca0646f531c2cf5f9b0775408b047eeeca838f4ff74856cac89f43e4e
Instruction Fuzzy Hash: 6241D0B2210B8486EB6ADF2AE8513EC37A4E78CBD4F144215FB69573E6DB34C851C780

Function 000001FE8FADB1B0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000001FE8FADB1DF
SetLastError.KERNEL32 ref: 000001FE8FADB272

Strings

Main, xrefs: 000001FE8FADB1C2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: 1c761e1382f4f4e8e21a5771b2742fd4ded768315d8239df106d7014fd1f2ec6
Instruction ID: f0ca3e6d8baab12edfa6743e89bb87527ab9954bc2c0168b66283b85268458bc
Opcode Fuzzy Hash: 1c761e1382f4f4e8e21a5771b2742fd4ded768315d8239df106d7014fd1f2ec6
Instruction Fuzzy Hash: E1417B72A00A86CAEB54AF11E4447BD73E0F748BE8F444275DB89477A8DB38E852CB40

Function 000001FE8FADAB80 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 000001FE8FADABBC
realloc.LIBCMT ref: 000001FE8FADAC23

Part of subcall function 000001FE8FAE52FC: malloc.LIBCMT ref: 000001FE8FAE5319

IsBadReadPtr.KERNEL32 ref: 000001FE8FADACA9
SetLastError.KERNEL32 ref: 000001FE8FADACCA
SetLastError.KERNEL32 ref: 000001FE8FADACE8

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastRead$mallocrealloc
String ID:
API String ID: 3638135368-0
Opcode ID: 75ed8e998ff67cc508f611bcc8a92760ada60573c1da8e9bb44137df954cd51e
Instruction ID: 93d0f8f26e57c61e54960f00a7551130f7a8d0f018c631c07a6a10a1e470386a
Opcode Fuzzy Hash: 75ed8e998ff67cc508f611bcc8a92760ada60573c1da8e9bb44137df954cd51e
Instruction Fuzzy Hash: 77416B36201BC18BEB21AF56E4507AAB3E0FB48BE4F084565DF8A47765DF38E446C700

Function 000001FE8FAF10A0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000001FE8FAF10FA
malloc.LIBCMT ref: 000001FE8FAF115E
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAF11A6
GetStringTypeW.KERNEL32 ref: 000001FE8FAF11BD
free.LIBCMT ref: 000001FE8FAF11D1

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: f3b033eb96f0b46acd52094bac7bcbe4840888fbf3d9e53257aca99f9f803477
Instruction ID: cc52c05c31ad58ad77660079f0a201a8b51175628b457c82467a44fa9858d218
Opcode Fuzzy Hash: f3b033eb96f0b46acd52094bac7bcbe4840888fbf3d9e53257aca99f9f803477
Instruction Fuzzy Hash: 75418032B10BC18AEB10AF2698006E967D5FB44BF8F584765EF294B7E4DB38C4028304

Function 00007FF665B73300 Relevance: 7.6, APIs: 5, Instructions: 98timewindowCOMMON

Download Yara Rule

APIs

GetQueueStatus.USER32 ref: 00007FF665B73385
KillTimer.USER32 ref: 00007FF665B733A8
PostMessageW.USER32 ref: 00007FF665B733E8
SetTimer.USER32 ref: 00007FF665B73412
_Init_thread_footer.LIBCMT ref: 00007FF665B7349F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Timer$Init_thread_footerKillMessagePostQueueStatus
String ID:
API String ID: 1136730382-0
Opcode ID: 2a1125463b9bebcfd2710457b2660daa4214678dcf78bf51705dfbb01ba5d737
Instruction ID: 7b8946c0e22ce2375eb7058c13e31aa3e6c2b040dc616bc41cdcf6eea21d7ca7
Opcode Fuzzy Hash: 2a1125463b9bebcfd2710457b2660daa4214678dcf78bf51705dfbb01ba5d737
Instruction Fuzzy Hash: B3416D36A08A82C6E7648F25E4567A973B0FB4AF94F544039CE0DCB698DE3CEC858714

Function 000001FE8FAD74D0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001FE8FAD7503

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

free.LIBCMT ref: 000001FE8FAD752B
CreateDIBSection.GDI32 ref: 000001FE8FAD7597
free.LIBCMT ref: 000001FE8FAD75B6

Part of subcall function 000001FE8FAD7E20: GetObjectW.GDI32 ref: 000001FE8FAD7E52

free.LIBCMT ref: 000001FE8FAD75F6

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno$AllocCreateHeapObjectSection_callnewhmalloc
String ID:
API String ID: 2034203143-0
Opcode ID: d3222581a7554e5581b8cf39a13de11888295550bf7cb58ccf28f3286197a644
Instruction ID: 4665e2bc2624fdf3c982e2f77d5d89714592757ddf396721087622a67f4ef633
Opcode Fuzzy Hash: d3222581a7554e5581b8cf39a13de11888295550bf7cb58ccf28f3286197a644
Instruction Fuzzy Hash: E2315332605AC146EB2ABF22D4003FAA6E8FB88BE4F4885759F4947775EF78D4128700

Function 000001FE8FADE390 Relevance: 7.6, APIs: 5, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000001FE8FADE3D0
WideCharToMultiByte.KERNEL32 ref: 000001FE8FADE419
GetLastError.KERNEL32 ref: 000001FE8FADE42A
WideCharToMultiByte.KERNEL32 ref: 000001FE8FADE453
WideCharToMultiByte.KERNEL32 ref: 000001FE8FADE490

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: db64cf0f651dc086ab79881f73d20ca8596acb5f99de422b62a97399abafdd11
Instruction ID: 6a6b501e280d4b907aad8cb9c090c62947c27da0d5b70be4ba65f2254a2468f1
Opcode Fuzzy Hash: db64cf0f651dc086ab79881f73d20ca8596acb5f99de422b62a97399abafdd11
Instruction Fuzzy Hash: EB318432704B8282E710AF56B48469BB7E5FB98BD4F184225ABC943B78CF3CC556C700

Function 00000001400068A0 Relevance: 7.6, APIs: 5, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00000001400068E0
WideCharToMultiByte.KERNEL32 ref: 0000000140006929
GetLastError.KERNEL32 ref: 000000014000693A
WideCharToMultiByte.KERNEL32 ref: 0000000140006963
WideCharToMultiByte.KERNEL32 ref: 00000001400069A0

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 5829725774077b7fe8e0868bd518cdc73ec5ce624404894a5e405c976afc8b2f
Instruction ID: 9e2f093d1824343bfdb86d089c484915bbbe08d1bcaa3bd202c419cb73c5e1be
Opcode Fuzzy Hash: 5829725774077b7fe8e0868bd518cdc73ec5ce624404894a5e405c976afc8b2f
Instruction Fuzzy Hash: BE315A72604B8182E711DF67B58078AB7A9FB9CBC4F184125ABC957B79CF3CC5558B00

Function 000001FE8FAF6620 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 000001FE8FAF6661
_exception_enabled.LIBCMT ref: 000001FE8FAF6684

Part of subcall function 000001FE8FAF6564: _set_statfp.LIBCMT ref: 000001FE8FAF658B
Part of subcall function 000001FE8FAF6564: _set_statfp.LIBCMT ref: 000001FE8FAF65FE

_raise_exc.LIBCMT ref: 000001FE8FAF66D0
_ctrlfp.LIBCMT ref: 000001FE8FAF6710
_ctrlfp.LIBCMT ref: 000001FE8FAF6741

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: 79c14e7db4d2e84cf453b14f21dc6eac39ded45f04e70965ea2fc96844330a76
Instruction ID: 7a4bfa217931f394853c4bc686635b2e57907029a27e9be4760d9c40207c2430
Opcode Fuzzy Hash: 79c14e7db4d2e84cf453b14f21dc6eac39ded45f04e70965ea2fc96844330a76
Instruction Fuzzy Hash: 51318636624A8589E750EF25E4112EFB7B5F7853D8F005265FF491AB68EF38C442CB00

Function 000001FE8FAE4790 Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000001FE8FAE47E2
GetSystemInfo.KERNEL32 ref: 000001FE8FAE47F9
SetThreadStackGuarantee.KERNEL32 ref: 000001FE8FAE480B
VirtualAlloc.KERNEL32 ref: 000001FE8FAE485E
VirtualProtect.KERNEL32 ref: 000001FE8FAE4878

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: 7dd9ea1c87e4549bff250d1b923e95236c2df90eb6d5819fd71ae98f73500695
Instruction ID: 0d8db089931ba36164e222e020e24f298e21274643f6d2026ef6a543aff101a0
Opcode Fuzzy Hash: 7dd9ea1c87e4549bff250d1b923e95236c2df90eb6d5819fd71ae98f73500695
Instruction Fuzzy Hash: 0E313036310AC29AEB24DF35E8507E933E8F748B98F4841669E4A8B754DF38D656C740

Function 000001FE8FAE48FC Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001FE8FAE4925
DecodePointer.KERNEL32 ref: 000001FE8FAE4935

Part of subcall function 000001FE8FAE9624: _errno.LIBCMT ref: 000001FE8FAE962D
Part of subcall function 000001FE8FAE9624: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE9638

EncodePointer.KERNEL32 ref: 000001FE8FAE49B3

Part of subcall function 000001FE8FAE7A50: realloc.LIBCMT ref: 000001FE8FAE7A7B
Part of subcall function 000001FE8FAE7A50: Sleep.KERNEL32 ref: 000001FE8FAE7A97

EncodePointer.KERNEL32 ref: 000001FE8FAE49C3
EncodePointer.KERNEL32 ref: 000001FE8FAE49D0

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 17991c27d76004656ba42ca55b295eb408c37ea0a9db000b327a412a6d1edf3e
Instruction ID: 682299678c155cdbc39eef8f1a1110277e67e985439c34ddcd0b29a910f97146
Opcode Fuzzy Hash: 17991c27d76004656ba42ca55b295eb408c37ea0a9db000b327a412a6d1edf3e
Instruction Fuzzy Hash: 4B216D39302AC681EE10BB52F9542B9A3D5B748BE0F544475DF4E1B774EE78C056C300

Function 000000014000DC60 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,?,000000014000DD75,?,?,?,?,000000014000C3DF), ref: 000000014000DC89
DecodePointer.KERNEL32(?,?,000000014000DD75,?,?,?,?,000000014000C3DF,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000DC99

Part of subcall function 0000000140013150: _errno.LIBCMT ref: 0000000140013159
Part of subcall function 0000000140013150: _invalid_parameter_noinfo.LIBCMT ref: 0000000140013164

EncodePointer.KERNEL32(?,?,000000014000DD75,?,?,?,?,000000014000C3DF,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000DD17

Part of subcall function 000000014000F250: realloc.LIBCMT ref: 000000014000F27B
Part of subcall function 000000014000F250: Sleep.KERNEL32(?,?,?,00000000,000000014000DD07,?,?,000000014000DD75,?,?,?,?,000000014000C3DF), ref: 000000014000F297

EncodePointer.KERNEL32(?,?,000000014000DD75,?,?,?,?,000000014000C3DF,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000DD27
EncodePointer.KERNEL32(?,?,000000014000DD75,?,?,?,?,000000014000C3DF,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000DD34

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 54459d427933311d3a5c3208d054d81af71c97b01693f1a9eb3f7a4da65edfea
Instruction ID: 8247cf1f62f7df82403f5901ba5e1a2614e6b16f482c9c990dfd3856083622c0
Opcode Fuzzy Hash: 54459d427933311d3a5c3208d054d81af71c97b01693f1a9eb3f7a4da65edfea
Instruction Fuzzy Hash: 1D21F875205A8481EE06DB53F9483E9A3A1B78DBD0F444826EF4E4B775EA78D445D300

Function 000001FE8FADE280 Relevance: 7.6, APIs: 5, Instructions: 61networkstringCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 000001FE8FADE2BC
getpeername.WS2_32 ref: 000001FE8FADE2C4
htons.WS2_32 ref: 000001FE8FADE2E1
lstrlenW.KERNEL32 ref: 000001FE8FADE317
WSAGetLastError.WS2_32 ref: 000001FE8FADE328

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastgetpeernamegetsocknamehtonslstrlen
String ID:
API String ID: 1560998626-0
Opcode ID: c734a573ce7dfaef318db430d04840a229c3ced714760d5c3b5a73f40af316d9
Instruction ID: dd21a321e5a31f983a51078ec38ecda4729626420779a1f594089119b0e3bb36
Opcode Fuzzy Hash: c734a573ce7dfaef318db430d04840a229c3ced714760d5c3b5a73f40af316d9
Instruction Fuzzy Hash: 36217C32204B82C6EB60AF15E4842BD77E0F788BE0F540275EB8987BA4DB38C456CB00

Function 000001FE8FAD12C0 Relevance: 7.6, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 000001FE8FAD12E8
VirtualFree.KERNEL32 ref: 000001FE8FAD130C
VirtualFree.KERNEL32 ref: 000001FE8FAD132E
VirtualFree.KERNEL32 ref: 000001FE8FAD135B
VirtualFree.KERNEL32 ref: 000001FE8FAD1376
VirtualFree.KERNEL32 ref: 000001FE8FAD1391

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1aa11bdb4510720bd8ad46d36d805cf89cd9d24c8924a76da2260b9335f5542b
Instruction ID: 0d6e6a1405620ce8f1cb03b2162d020d26ebc6366eb20dbe7c595ff809633cde
Opcode Fuzzy Hash: 1aa11bdb4510720bd8ad46d36d805cf89cd9d24c8924a76da2260b9335f5542b
Instruction Fuzzy Hash: 95211636711B4186EB98EF66E840668B3E9FF88FE4F148265CE4947A68CF38C556C700

Function 00007FF665C28E40 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C28E64
CreateThread.KERNEL32 ref: 00007FF665C28EA5
GetLastError.KERNEL32 ref: 00007FF665C28EB3
CloseHandle.KERNEL32 ref: 00007FF665C28ED0
FreeLibrary.KERNEL32 ref: 00007FF665C28EDF

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 9f3bf3b611a25fd9af20a1efec53b308f414e593c4ce8467026b1375e3291df5
Instruction ID: efe71aaf1fec5184b232b02664430eaa7999ba9e58ebc8b8738e838cce6d56d3
Opcode Fuzzy Hash: 9f3bf3b611a25fd9af20a1efec53b308f414e593c4ce8467026b1375e3291df5
Instruction Fuzzy Hash: 7821382BA09B42C6EF14DF65E41297AA2B1AF94F84F085439DE4D8BB59DF3CE8048610

Function 00007FF665C3500C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF665C35034
_set_statfp.LIBCMT ref: 00007FF665C3504F
_set_statfp.LIBCMT ref: 00007FF665C3506B
_set_statfp.LIBCMT ref: 00007FF665C350A7

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: b438fef95e9de4e192e54f68da003bfb06ab1a0320ce8f8e52a96597e9ab0918
Instruction ID: 5e7131053352056950238d0109766d77b65e5a9c676b8112c150688de36943cf
Opcode Fuzzy Hash: b438fef95e9de4e192e54f68da003bfb06ab1a0320ce8f8e52a96597e9ab0918
Instruction Fuzzy Hash: 0011C473E1CA0B85F6581168D49337907B16F94B70E08067CE96E8E2EACE7EAC41C540

Function 000001FE8FAD7D50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 000001FE8FAD7D98
SelectObject.GDI32 ref: 000001FE8FAD7DA9
SetDIBColorTable.GDI32 ref: 000001FE8FAD7DBF
SelectObject.GDI32 ref: 000001FE8FAD7DD2
DeleteDC.GDI32 ref: 000001FE8FAD7DF4

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
String ID:
API String ID: 3899591553-0
Opcode ID: 8947a06e24e96cbb16fea5535f0303150291ac82d5cc01e71dd39e0745be825e
Instruction ID: 6b5db41d4366d355ee2674d0b4801053270097bb27fd9560e49f941e2428777d
Opcode Fuzzy Hash: 8947a06e24e96cbb16fea5535f0303150291ac82d5cc01e71dd39e0745be825e
Instruction Fuzzy Hash: 2A218135200A4189EB59AF25E8507B933A4FB94BE4F205264DB8A57768CF35C482C780

Function 000001FE8FADC8D0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000001FE8FADC8F5
EnterCriticalSection.KERNEL32 ref: 000001FE8FADC8FF
LeaveCriticalSection.KERNEL32 ref: 000001FE8FADC90F
LeaveCriticalSection.KERNEL32 ref: 000001FE8FADC919

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 1f6a9fb51c2b84da157e2e3cd1e1033ba792cdd02042b8f3db644f72fc9350c0
Instruction ID: 407518be200521dbf29a51130307b64f3af97e95903b1c1821a5df37d15e3f4d
Opcode Fuzzy Hash: 1f6a9fb51c2b84da157e2e3cd1e1033ba792cdd02042b8f3db644f72fc9350c0
Instruction Fuzzy Hash: 6711033662498183EB91AB21F4947ED63A0F7487A5F941171DB9B86A70DF3CE4C7C700

Function 0000000140004DE0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004E05
EnterCriticalSection.KERNEL32 ref: 0000000140004E0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004E1F
LeaveCriticalSection.KERNEL32 ref: 0000000140004E29

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 27a275d43472adae5db1faaa78edeb7c575d29a0cdd8bd5440967adc4db77422
Instruction ID: 3c9fda6647c770e7f41cf7310115e834e4dccbf0fe0fd89ca614509f88be52cc
Opcode Fuzzy Hash: 27a275d43472adae5db1faaa78edeb7c575d29a0cdd8bd5440967adc4db77422
Instruction Fuzzy Hash: 2C11FB76624A8083EBA1DB22F4943E963A0F75C7D1F441021EB8B47A70DF7DD88AD700

Function 000001FE8FAEACC8 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001FE8FAEACFF
GetCurrentProcessId.KERNEL32 ref: 000001FE8FAEAD0A
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAEAD16
GetTickCount.KERNEL32 ref: 000001FE8FAEAD22
QueryPerformanceCounter.KERNEL32 ref: 000001FE8FAEAD33

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 087ee9406ee3a35d804722b5ad4831615591c4c9cb0efb3c3ae35d0179c68e7c
Instruction ID: cb4e223bbf5267da2768d0d2651cae5e3df36390bd426eaf7ae569ec413372f9
Opcode Fuzzy Hash: 087ee9406ee3a35d804722b5ad4831615591c4c9cb0efb3c3ae35d0179c68e7c
Instruction Fuzzy Hash: FC016D31265A8586EB50AF21F8507A663A0F789BE1F546630EF5A4B7B0CA38C8968300

Function 000001FE8FAF28F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001FE8FAF28F9
_errno.LIBCMT ref: 000001FE8FAF2901

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction ID: 45bfa7136a2fced76c379152fabd5f4285f17e40eddb8c0a94d4e635b01bbe4f
Opcode Fuzzy Hash: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction Fuzzy Hash: 6D018176A14AC644EA253B24D4E13FC36D1DB90BF1F508BA5D7290B3F2DA6C54438220

Function 0000000140002590 Relevance: 7.5, APIs: 5, Instructions: 29synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00000001400025A0
WaitForSingleObject.KERNEL32 ref: 00000001400025B0
CloseHandle.KERNEL32 ref: 00000001400025BD
Sleep.KERNEL32 ref: 00000001400025C8
CloseHandle.KERNEL32 ref: 00000001400025FB

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$Sleep
String ID:
API String ID: 91029115-0
Opcode ID: cc26c8d3f1758e817df8cd61288522319ca12ee63bbcc221306e2d6998ed2d79
Instruction ID: ce7a241355de95de9d233c9454c967dcad5972765cc3f42e4a70d4f715d60daf
Opcode Fuzzy Hash: cc26c8d3f1758e817df8cd61288522319ca12ee63bbcc221306e2d6998ed2d79
Instruction Fuzzy Hash: 7E01A836600A8481E742DB6AD8543682361FBCCF99F184121DF6E4B3B5CF35C486D321

Function 00007FF665BE5B90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF665C21200: EnterCriticalSection.KERNEL32 ref: 00007FF665C21210

GetProcAddress.KERNEL32 ref: 00007FF665BE5C8C
_Init_thread_footer.LIBCMT ref: 00007FF665BE5D07

Strings

SHGetKnownFolderPath, xrefs: 00007FF665BE5C82
shell32, xrefs: 00007FF665BE5C2C

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: AddressCriticalEnterInit_thread_footerProcSection
String ID: SHGetKnownFolderPath$shell32
API String ID: 3050242151-1045111711
Opcode ID: 2781453f8c16aefac335e9e8166fe62accc3f6a5c6ed498f4cfd73c8d39d4c5b
Instruction ID: 3ddd45e442c86281072a6ffc5c902be3fbd9fef2d4de9806a6e48893780db674
Opcode Fuzzy Hash: 2781453f8c16aefac335e9e8166fe62accc3f6a5c6ed498f4cfd73c8d39d4c5b
Instruction Fuzzy Hash: 95516032609A82C6E760DB15E85236973B0FB89B94F444235D69ECB7D5DF3CE841CB04

Function 000001FE8FAECE30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 000001FE8FAECE6B
_errno.LIBCMT ref: 000001FE8FAECE75
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAECE7C

Strings

-, xrefs: 000001FE8FAECE97

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 3ee52a3a24785a7fc091806b0d958f2a81b7a6cfbcf0ce8e670c4bd10c065dff
Instruction ID: 72d58b188400b415ee33be4782b4784bf0c93d285c053e7f0e8bcaad983cedd4
Opcode Fuzzy Hash: 3ee52a3a24785a7fc091806b0d958f2a81b7a6cfbcf0ce8e670c4bd10c065dff
Instruction Fuzzy Hash: 3A31E832304BC585EA20AA25A4507FAB7E0A745BF4F144272EF9887BE6DF3DC446C710

Function 0000000140013C9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 0000000140013CD7
_errno.LIBCMT ref: 0000000140013CE1
_invalid_parameter_noinfo.LIBCMT ref: 0000000140013CE8

Strings

-, xrefs: 0000000140013D03

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 46aa22e80ba2c5872934a94fab64ff225dd37f18d0849ec0e39a5d0deea4399a
Instruction ID: def011c6f922c7a676358efa653782ba532edafc4f7f681bdd91da2884b7ca77
Opcode Fuzzy Hash: 46aa22e80ba2c5872934a94fab64ff225dd37f18d0849ec0e39a5d0deea4399a
Instruction Fuzzy Hash: CC31C83231468485EB229B27B4407DAB7A1A749BD4F544216FFD90BBE9DF3AC445CB00

Function 000001FE8FAF1D4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAF1D65
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAF1D71
_errno.LIBCMT ref: 000001FE8FAF1D98

Strings

1, xrefs: 000001FE8FAF1DE7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: e42cd22b66c2c710ae5e79c5bbbebf2e77b3ed4b785cd6836f41a57508a0d04c
Instruction ID: aea89f9280e980084d295df1ce8ca73ef5c68eec7e57a7eb71cf8e2341e66c71
Opcode Fuzzy Hash: e42cd22b66c2c710ae5e79c5bbbebf2e77b3ed4b785cd6836f41a57508a0d04c
Instruction Fuzzy Hash: 85219532215AC645F767BF24C4503FC6AE4DB05BD0F99C5B197460A3A3D62A8942C711

Function 000000014001808C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400180A5
_invalid_parameter_noinfo.LIBCMT ref: 00000001400180B1
_errno.LIBCMT ref: 00000001400180D8

Strings

1, xrefs: 0000000140018127

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: 2f43f88bbe1bd91cc7cb3feb409fd4a14cd55f5ebcee323893c0bc387f0fb5b9
Instruction ID: 126ecb6a4ed584294f16de81e492ef384a4af089c2fc3c42b76c2b9d46fd1270
Opcode Fuzzy Hash: 2f43f88bbe1bd91cc7cb3feb409fd4a14cd55f5ebcee323893c0bc387f0fb5b9
Instruction Fuzzy Hash: 9621FF732186C495F77B8B2A88103ED6A98A70CBC0F99C411BF460F2A3E63B8A41C711

Function 00007FF665B734B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FF665B73524
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF665B71B32), ref: 00007FF665B73562

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

%s: CreateWindow() for QEventDispatcherWin32 internal window failed, xrefs: 00007FF665B73539
struct HWND__ *__cdecl qt_create_internal_window(const class QEventDispatcherWin32 *), xrefs: 00007FF665B73532

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Window$CreateInit_thread_footerLong
String ID: %s: CreateWindow() for QEventDispatcherWin32 internal window failed$struct HWND__ *__cdecl qt_create_internal_window(const class QEventDispatcherWin32 *)
API String ID: 2938593978-1541743766
Opcode ID: eda67fbf92e630d0c72160588c332b7d3a44e1f2591f00d15a80d56d91615364
Instruction ID: e686abd5b9e9058d295705fd092cce27f2c1db57f1f4a09fe0fb8906c00a92ef
Opcode Fuzzy Hash: eda67fbf92e630d0c72160588c332b7d3a44e1f2591f00d15a80d56d91615364
Instruction Fuzzy Hash: 03114832A18695C2E6518F29F45101EA7B0FB49FA4B540235EB9D87BE9DF3CD9818B40

Function 00007FF665B4AED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

QT_FATAL_CRITICALS, xrefs: 00007FF665B4AF64
QT_FATAL_WARNINGS, xrefs: 00007FF665B4AF9C

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QT_FATAL_CRITICALS$QT_FATAL_WARNINGS
API String ID: 0-1785144594
Opcode ID: 31495e7dcf0985454016301e3335c3f448df0f4c99aa0aa242f01e66ea667f80
Instruction ID: c78ad7177d650fbe7a625e1f33234397b35419ae30e2884f24f405acf3dda77b
Opcode Fuzzy Hash: 31495e7dcf0985454016301e3335c3f448df0f4c99aa0aa242f01e66ea667f80
Instruction Fuzzy Hash: A1214AB1E09D82C9FA609715DDA30B563B1AF5BF40F8002B9C11DCE2E5DE2CAD45CB04

Function 000001FE8FAE3E78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000001FE8FAE3E86
malloc.LIBCMT ref: 000001FE8FAE3E92

Part of subcall function 000001FE8FAE46D8: _FF_MSGBANNER.LIBCMT ref: 000001FE8FAE4708
Part of subcall function 000001FE8FAE46D8: HeapAlloc.KERNEL32 ref: 000001FE8FAE472D
Part of subcall function 000001FE8FAE46D8: _callnewh.LIBCMT ref: 000001FE8FAE4746
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE4751
Part of subcall function 000001FE8FAE46D8: _errno.LIBCMT ref: 000001FE8FAE475C

std::exception::exception.LIBCMT ref: 000001FE8FAE3EFF

Strings

bad allocation, xrefs: 000001FE8FAE3ECF

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 15ab1da4c976b5a443b990e10891d2bdf45618e1db579182d28fa9cee56dbbac
Instruction ID: 0e88991fe8e64cada946dbec7cd352d1d93f9e12962376a3c8aad70b385188c1
Opcode Fuzzy Hash: 15ab1da4c976b5a443b990e10891d2bdf45618e1db579182d28fa9cee56dbbac
Instruction Fuzzy Hash: 98011779610B8781FE20BF20E8613F867E8B7953E4F8855759B8A466B1EB78C257C700

Function 00007FF665B706FA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 98667de634df17e3002f528c503baf9fd399360d270cee6032a1187459161a2c
Instruction ID: 252312715616c7115c57370e832abbe8f6d2c235e96383d5a1b244367ff9f896
Opcode Fuzzy Hash: 98667de634df17e3002f528c503baf9fd399360d270cee6032a1187459161a2c
Instruction Fuzzy Hash: 1FF01222E08946C1EA509725F8762B95370AF95F70F140336DA3ECA1E6DF2DFC958B00

Function 00007FF665B70701 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 68c966794d45a26bc0ce352807e4506a2a3e803fc2058c9121001f91d073ba25
Instruction ID: 8fc72878c85ed52567a887aa0bcfa1cb547a96f72367cc5155cd7ef3d149e78a
Opcode Fuzzy Hash: 68c966794d45a26bc0ce352807e4506a2a3e803fc2058c9121001f91d073ba25
Instruction Fuzzy Hash: C2F01222E08946C1EA509725F8762B953706F95F70F140336DA3ECA5E6DF2DFC958B00

Function 00007FF665B706E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 37056db6683098725aff1277900d26c7f0a8d787be9077936edb7e7a0fbe72ea
Instruction ID: 0c122449486dfc63634da57d81faa97c3d9c2eaf26b5883a2c725ff372f7ae82
Opcode Fuzzy Hash: 37056db6683098725aff1277900d26c7f0a8d787be9077936edb7e7a0fbe72ea
Instruction Fuzzy Hash: F5F0FF22E08946C1EA509725F8662B953706F96F70F540336DA7ECA1E6DF29FC958A00

Function 00007FF665B706E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 1c009da80423eb9776ad27b4896bc7a3d78086aba397a6fdea3ffa2447fc16ef
Instruction ID: 5c834c824b9c01b224cbaa872f76676b961d9dcbb84744adacec3582e7446b37
Opcode Fuzzy Hash: 1c009da80423eb9776ad27b4896bc7a3d78086aba397a6fdea3ffa2447fc16ef
Instruction Fuzzy Hash: 56F04F22A08946C1EA509725F8222B813706F86F70F140332DA3ECA1E6DF28FC858A00

Function 00007FF665B706F3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: ba23d353b47921fc19f649bdb096968185609f198af8a22fc68cd0ba66401e9a
Instruction ID: 790368def3c1e4bdce298e6a3fed71e65180512ae0e69665c1643fdecacd7ed9
Opcode Fuzzy Hash: ba23d353b47921fc19f649bdb096968185609f198af8a22fc68cd0ba66401e9a
Instruction Fuzzy Hash: DEF0FF22E08946C1EA509725F8662B953706F95F70F140336DA3ECA1E6DF2DFC958A00

Function 00007FF665B706EE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF665B70722
ResumeThread.KERNEL32 ref: 00007FF665B7073F

Part of subcall function 00007FF665B4B5D0: _Init_thread_footer.LIBCMT ref: 00007FF665B4B703

Strings

QThread::start: Failed to set thread priority, xrefs: 00007FF665B7072C
QThread::start: Failed to resume new thread, xrefs: 00007FF665B7074A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 738b75d211e5ce6c5a6eb55f8bdd90dc21dfe2866fd69c22f6834b402a36fb24
Instruction ID: 04735b39b6787c363049f58febc9d05b6d43c0f1eae2b09eb83bc58e9531aeed
Opcode Fuzzy Hash: 738b75d211e5ce6c5a6eb55f8bdd90dc21dfe2866fd69c22f6834b402a36fb24
Instruction Fuzzy Hash: 38F0FF22A08946C1EA509725F8662B953706F96F70F140336DA7ECA1E6DF29FC958A00

Function 000001FE8FAE75A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001FE8FAE75B7
GetProcAddress.KERNEL32 ref: 000001FE8FAE75CC

Strings

mscoree.dll, xrefs: 000001FE8FAE75B0
CorExitProcess, xrefs: 000001FE8FAE75C2

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 616ddb4d295f18e0d5ebf620ba6ad7aac28a66247e066f97f832725591873133
Instruction ID: 9b31a62f75b73b54dacfcb21dafb6c24df06f09fd04dbbd21c694206c7ed38d8
Opcode Fuzzy Hash: 616ddb4d295f18e0d5ebf620ba6ad7aac28a66247e066f97f832725591873133
Instruction Fuzzy Hash: 40E01230711A8642FE19BB51E8A47B513D5AF4C7A0F8C15B8871E0B3B0DF28C54BC710

Function 000000014000ED8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,000000014000EDD5,?,?,00000028,000000014000CC95,?,?,00000000,000000014000F17C,?,?,?,00000001400163E9), ref: 000000014000ED9B
GetProcAddress.KERNEL32(?,?,000000FF,000000014000EDD5,?,?,00000028,000000014000CC95,?,?,00000000,000000014000F17C,?,?,?,00000001400163E9), ref: 000000014000EDB0

Strings

mscoree.dll, xrefs: 000000014000ED94
CorExitProcess, xrefs: 000000014000EDA6

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 4bbfd39f8bf343ea1ca5c34338239d701a48d2a774a5be26f10ebce2c9f64242
Instruction ID: 71ffbbccc92808b43813d08085ef59349100938ca0567fadc8db71697ad937b1
Opcode Fuzzy Hash: 4bbfd39f8bf343ea1ca5c34338239d701a48d2a774a5be26f10ebce2c9f64242
Instruction Fuzzy Hash: 16E0127071170082FE1BDB92BC843E41250AB4C7C0F48542D9A1E073F2EF3C99488750

Function 000001FE8FAE08F0 Relevance: 6.3, APIs: 5, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 000001FE8FAE0925
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAE095C
GetLastError.KERNEL32 ref: 000001FE8FAE096D
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAE0994
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAE09C7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 0f019e937948a6d47832e34f67adf2063f94cc7fb04caa044bbf51efa6f953eb
Instruction ID: cb41fc656dc49bbcd6b81cdc985572a690cfac52a7bd8b8c87c7267beb23a72a
Opcode Fuzzy Hash: 0f019e937948a6d47832e34f67adf2063f94cc7fb04caa044bbf51efa6f953eb
Instruction Fuzzy Hash: 4C218236704BC282E714AFA2B45479BA7A5FB887E8F1485359B8847B74DF7CC54AC700

Function 0000000140008E00 Relevance: 6.3, APIs: 5, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000000140008E35
MultiByteToWideChar.KERNEL32 ref: 0000000140008E6C
GetLastError.KERNEL32 ref: 0000000140008E7D
MultiByteToWideChar.KERNEL32 ref: 0000000140008EA4
MultiByteToWideChar.KERNEL32 ref: 0000000140008ED7

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 7b6a82a3cecccb768db571671d4363707eed458c3a164f31cf85666ce331445c
Instruction ID: 1367ca4fc0ad25944009171f3ece5e31aaa5564db9c75415ed5b608e2aa7c643
Opcode Fuzzy Hash: 7b6a82a3cecccb768db571671d4363707eed458c3a164f31cf85666ce331445c
Instruction Fuzzy Hash: D3217A76604B8286E725DBA3B44479BA7A5B78CBD8F088125AF8947B74CF7CC54A8700

Function 000001FE8FADB360 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000001FE8FADB3A5
free.LIBCMT ref: 000001FE8FADB3E5
free.LIBCMT ref: 000001FE8FADB438
GetProcessHeap.KERNEL32 ref: 000001FE8FADB445
HeapFree.KERNEL32 ref: 000001FE8FADB453

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: free$Heap$FreeProcess
String ID:
API String ID: 3493288988-0
Opcode ID: e74aae544f5a46ba22eee78589248f0f87bde554db02cbcf63cd116665f5f2e6
Instruction ID: 5cbf474f9e563e6267febcf9a42408d8f57e3ab84a64377a8e06bcc2df1fbc49
Opcode Fuzzy Hash: e74aae544f5a46ba22eee78589248f0f87bde554db02cbcf63cd116665f5f2e6
Instruction Fuzzy Hash: AD312B36711A9193EB59EB56E5507AD63B0FB88FE0F084265DF4A17F64CF38D4A28700

Function 000001FE8FAE2B30 Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000001FE8FAE2B44
EnterCriticalSection.KERNEL32 ref: 000001FE8FAE2B5F
SetLastError.KERNEL32 ref: 000001FE8FAE2B70
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE2B79

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: e5f5a7a0dc5c8876328b0cc5bc067911a8c5247e3853157b53872c7db5139999
Instruction ID: 9499d1f32b2d2fcd542a16a7bf841c481104a5730838478e5473d3b2d96ba178
Opcode Fuzzy Hash: e5f5a7a0dc5c8876328b0cc5bc067911a8c5247e3853157b53872c7db5139999
Instruction Fuzzy Hash: 9801FF31B14A8583EB546B65F8557A823D1F784BB0F581370DB768B7E49F38C4968700

Function 000000014000B040 Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000000014000B054
EnterCriticalSection.KERNEL32 ref: 000000014000B06F
SetLastError.KERNEL32 ref: 000000014000B080
LeaveCriticalSection.KERNEL32 ref: 000000014000B089

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 522e542781311d7e6f090ded623bc72729966cf96487a5008a3685ae68b96bf6
Instruction ID: be956a872a1c6a2900d84f2f534e5b7a64f0e72c58f44559afabd09d7ae00775
Opcode Fuzzy Hash: 522e542781311d7e6f090ded623bc72729966cf96487a5008a3685ae68b96bf6
Instruction Fuzzy Hash: 6601FB35710944C3EB959B66F8553A823A1F78CBE5F881220EB7A4B6F0DF79C4958700

Function 00007FF665B95DB0 Relevance: 6.2, APIs: 4, Instructions: 246COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF665B95E7D
std::bad_exception::bad_exception.LIBCMT ref: 00007FF665B95E9A
std::bad_exception::bad_exception.LIBCMT ref: 00007FF665B95EB7
std::bad_exception::bad_exception.LIBCMT ref: 00007FF665B95FCF

Part of subcall function 00007FF665C20CE8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF665C20D18

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::cancel_current_task
String ID:
API String ID: 208461638-0
Opcode ID: 73a7ac148250d6fe23e634dcb3216ee3d6b184c37dc2c70ddf0f85e991ab9da2
Instruction ID: 0bbe2fe47534aa28ed7dc9d8ee01d24b8ab279f045cc6b1281cccc6de29b64cd
Opcode Fuzzy Hash: 73a7ac148250d6fe23e634dcb3216ee3d6b184c37dc2c70ddf0f85e991ab9da2
Instruction Fuzzy Hash: 2DA10C21A0AB4286EE95AB51E4323A962F4BF4BB44F54013CD68D9F7C6EF3DEC048311

Function 000001FE8FAE501C Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAE504B
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE5056
iswctype.LIBCMT ref: 000001FE8FAE508F
_errno.LIBCMT ref: 000001FE8FAE51B9

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 8990e4657c5db3c90a51578a81b61c88cef929f9a05e6dfaeb4bfedc03f5f406
Instruction ID: 7972d8b7e741db0d7740ce2e3a4c3e42c375b3f3863835df0af8685b5b677303
Opcode Fuzzy Hash: 8990e4657c5db3c90a51578a81b61c88cef929f9a05e6dfaeb4bfedc03f5f406
Instruction Fuzzy Hash: 5851B2B2900DD34DFBB43A2AB8313FA21D1AF407F4F2545B1EF51C21E9E66A88839251

Function 00000001400110C8 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400110F7
_invalid_parameter_noinfo.LIBCMT ref: 0000000140011102
iswctype.LIBCMT ref: 000000014001113B
_errno.LIBCMT ref: 0000000140011265

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 606257ffbb467dae4197fa97c9caa10e9ea433f99056969b45ae169b58c78470
Instruction ID: ad4b2e940984449f39046f900497b05137e73722569b21e27d707f41fcf6c88f
Opcode Fuzzy Hash: 606257ffbb467dae4197fa97c9caa10e9ea433f99056969b45ae169b58c78470
Instruction Fuzzy Hash: E151053290016150FBBF5A2B98013EEA1E1BBCC7E8F554211FF518F1F3E67AC8958202

Function 0000000140016028 Relevance: 6.2, APIs: 4, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140016076
_invalid_parameter_noinfo.LIBCMT ref: 0000000140016081
DecodePointer.KERNEL32(?,?,?,?,?,000000014000DBD8,?,?,?,?,000000014000747E), ref: 0000000140016130
_lock.LIBCMT ref: 000000014001615B

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 92f3ae0ad62b5c177dba82905c82cd58413f65951c15738f7d565db9f6b1117e
Instruction ID: 306741b34e3bfef789a284ba9ddeea403501a44d48d6e2f29ff15227e5e03a67
Opcode Fuzzy Hash: 92f3ae0ad62b5c177dba82905c82cd58413f65951c15738f7d565db9f6b1117e
Instruction Fuzzy Hash: 8951937260474092FA679B37AC403FA66A2F38D7D4F284519FB5A4B6B6CB3ADC41C600

Function 000001FE8FAD31E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD338F
MultiByteToWideChar.KERNEL32 ref: 000001FE8FAD33B7

Strings

Network, xrefs: 000001FE8FAD31E2
X64, xrefs: 000001FE8FAD32C4

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Network$X64
API String ID: 626452242-3809260122
Opcode ID: 23ae036aa3b1d2709e1c4a854c1d6364a8d361c4d22c79d840b97e812a5fc968
Instruction ID: 8bedb2256c72763b8a345755e8d6baf6d31a5b14c633238809a1879be163b5e1
Opcode Fuzzy Hash: 23ae036aa3b1d2709e1c4a854c1d6364a8d361c4d22c79d840b97e812a5fc968
Instruction Fuzzy Hash: 76517C32214AC495E750EB65E8452DEA7A1FB847F4F904326FB7A57AE9CF38C146CB00

Function 00007FF665BB1950 Relevance: 6.1, APIs: 4, Instructions: 125comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF665BB19C4
CoInitialize.OLE32 ref: 00007FF665BB19D6
CoCreateInstance.OLE32 ref: 00007FF665BB19FA
CoUninitialize.OLE32 ref: 00007FF665BB1B21

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CreateInstance$InitializeUninitialize
String ID:
API String ID: 1701838895-0
Opcode ID: cd67ddf5dae77c640e0d9ee24c34f1a23b683f0c5909ce805016218ca2d8fa47
Instruction ID: c202600e088da42b23e086ce21d5dfe9a575869488e7a3a7993dca445c2efd8e
Opcode Fuzzy Hash: cd67ddf5dae77c640e0d9ee24c34f1a23b683f0c5909ce805016218ca2d8fa47
Instruction Fuzzy Hash: CC518D72608B42C6EB209F25E49126A7370FB89F94F544136DA5ECB798DF7DD844CB40

Function 000001FE8FAE67D0 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAEF788: _errno.LIBCMT ref: 000001FE8FAEF791
Part of subcall function 000001FE8FAEF788: _invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAEF79C

_errno.LIBCMT ref: 000001FE8FAE67FD
_errno.LIBCMT ref: 000001FE8FAE6819
_isatty.LIBCMT ref: 000001FE8FAE687A
_getbuf.LIBCMT ref: 000001FE8FAE6886

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-0
Opcode ID: ae0d8a242cb8cd5958c0b3c400ec99c91f7a88f021bfb64fbd7b9bdb8558b75e
Instruction ID: f55a5bd9ddef3aed64daf8715711badaf345646b3aeb94cd797bebd1ff3d7d98
Opcode Fuzzy Hash: ae0d8a242cb8cd5958c0b3c400ec99c91f7a88f021bfb64fbd7b9bdb8558b75e
Instruction Fuzzy Hash: 9641E372620F8286EB58AF28C4613BC36E4E794BF4F144675DB65473E5EA34E852C780

Function 000001FE8FAECBC0 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE4F78: _getptd.LIBCMT ref: 000001FE8FAE4F8A

_errno.LIBCMT ref: 000001FE8FAECBFE
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAECC08
_errno.LIBCMT ref: 000001FE8FAECC2C
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAECC36

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 5c3f2eb0de4ecc964b19cd037dcff679cc0c5f13b20e04879b55f5937233c062
Instruction ID: b7e2f13a67408a4fb7847bcb2a42d3dc8f1a6997d88506d2226459189537deb0
Opcode Fuzzy Hash: 5c3f2eb0de4ecc964b19cd037dcff679cc0c5f13b20e04879b55f5937233c062
Instruction Fuzzy Hash: 04419F72214BC186E761AF25D1A43FD7BE0E784BE0F0441B1DB5A83BA6DB28C456C700

Function 0000000140013A2C Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000D8C4: _getptd.LIBCMT ref: 000000014000D8D6

_errno.LIBCMT ref: 0000000140013A6A
_invalid_parameter_noinfo.LIBCMT ref: 0000000140013A74
_errno.LIBCMT ref: 0000000140013A98
_invalid_parameter_noinfo.LIBCMT ref: 0000000140013AA2

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 5a870b931761ab599753f8bfd16992f766053f307be36c29dad451088aec4ffc
Instruction ID: fa439592d95ae1f100fac341de21a33952704bf9bde9568e0b02c20916df6298
Opcode Fuzzy Hash: 5a870b931761ab599753f8bfd16992f766053f307be36c29dad451088aec4ffc
Instruction Fuzzy Hash: 1341C272218B8486EB62DF26D5D43ED77A0F788BD0F544121FB894BBA6DB39C445C701

Function 000001FE8FAEB10C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE593C: _getptd.LIBCMT ref: 000001FE8FAE5940

_getptd.LIBCMT ref: 000001FE8FAEB14B

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

_SetImageBase.LIBCMT ref: 000001FE8FAEB21E
_getptd.LIBCMT ref: 000001FE8FAEB24C
_getptd.LIBCMT ref: 000001FE8FAEB25A

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: 35e29d8fd6bc9845a79005a57f687935efa70cb60b342af0ce20e08c547ff475
Instruction ID: 2097a90748cc370bc428928cf3f35293e30dccd9e5a7c1c3e9070058aacf5cc1
Opcode Fuzzy Hash: 35e29d8fd6bc9845a79005a57f687935efa70cb60b342af0ce20e08c547ff475
Instruction Fuzzy Hash: 82417F72600E8785EA20B755E4A53FD76D0AF91BF8F5582B19B69837F2DB34C4478300

Function 000001FE8FAE14A0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000001FE8FAE14CE
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE14E8
LeaveCriticalSection.KERNEL32 ref: 000001FE8FAE1556
SetEvent.KERNEL32 ref: 000001FE8FAE1571

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: feb78f70b4df6414eb21c9ecdb35b5c2724385254891411f69aab51776cc5172
Instruction ID: fb730899d58e458f5f0d5bb14b29070a1bd9d7c1975ab3b355ecbc3167042375
Opcode Fuzzy Hash: feb78f70b4df6414eb21c9ecdb35b5c2724385254891411f69aab51776cc5172
Instruction Fuzzy Hash: 7A21B632304BC182D758DB29E9946ADB3A4F789BE4F244275DBAA87774DF34D4A28700

Function 00000001400099B0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,000000014000A1EA), ref: 00000001400099DE
LeaveCriticalSection.KERNEL32(?,?,?,?,?,000000014000A1EA), ref: 00000001400099F8
LeaveCriticalSection.KERNEL32 ref: 0000000140009A66
SetEvent.KERNEL32 ref: 0000000140009A81

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: fa82e5b209470ce26a85e264d624b6564f0e8887b78138c3eaa11438d14ff89d
Instruction ID: ef994ee9f9bed98942f48a86039c6ac5302df09849ecf8edac7f4e264bc9dd67
Opcode Fuzzy Hash: fa82e5b209470ce26a85e264d624b6564f0e8887b78138c3eaa11438d14ff89d
Instruction Fuzzy Hash: C621E772304B8082D759CB2AF5803AEB3A4F78DBE4F144225EBA987774DF78D4618740

Function 000001FE8FAE6E44 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 000001FE8FAE6E53
DeleteCriticalSection.KERNEL32 ref: 000001FE8FAEE8EB
free.LIBCMT ref: 000001FE8FAEE8F4
DeleteCriticalSection.KERNEL32 ref: 000001FE8FAEE91B

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 895ab2ec1fe574897f2a59e2529e51965fc67142c4c41bc2158851cfbd195e4a
Instruction ID: e46e48b1c35410e89fb737a6577e536b099b8fcc10226006fd0392790963f549
Opcode Fuzzy Hash: 895ab2ec1fe574897f2a59e2529e51965fc67142c4c41bc2158851cfbd195e4a
Instruction Fuzzy Hash: 75113D35A11AC2C6FA65AF15E8A43B863E0E784BF4F990260DB65062B5CB38D8528710

Function 0000000140017824 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 0000000140017838

Part of subcall function 0000000140016470: _amsg_exit.LIBCMT ref: 000000014001649A

fclose.LIBCMT ref: 0000000140017868
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000140010D8B), ref: 000000014001788C
free.LIBCMT ref: 000000014001789D

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: c9f77b097b1ff9bda74785914cee94378daf67591831374db37bb86d897c1467
Instruction ID: 87264e52a2fda171319df8fe2e39f3b91f2b5136f1d58ff83c7a7e57e2184c2b
Opcode Fuzzy Hash: c9f77b097b1ff9bda74785914cee94378daf67591831374db37bb86d897c1467
Instruction Fuzzy Hash: 5E113A3655464082EA129B1AE8847ECB771F798BC4F25421AEB9E4B2F5CF76CC52C604

Function 00000001400155C8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001400155D2

Part of subcall function 000000014000E7A0: _amsg_exit.LIBCMT ref: 000000014000E7B6

_lock.LIBCMT ref: 0000000140015600
free.LIBCMT ref: 0000000140015636
_amsg_exit.LIBCMT ref: 000000014001566F

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: aaf890dc514d5b1d758f0962d46d07e81864927ddcd3fcb5db6298c144a2bb2a
Instruction ID: d3e7cd872bcac190c33a9ccc74263bc35aee3c0c3613b0a7fbc1b13082b0cc7e
Opcode Fuzzy Hash: aaf890dc514d5b1d758f0962d46d07e81864927ddcd3fcb5db6298c144a2bb2a
Instruction Fuzzy Hash: 60114C35216A40C2EA96AB12E5807E933A1F74CBC1F480426FB5D0B7B6DF39C850C750

Function 000000014000E63C Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000014000E9B1,?,?,00000000,000000014000CAB4), ref: 000000014000E64B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000E9B1), ref: 000000014001631B
free.LIBCMT ref: 0000000140016324
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014000E9B1), ref: 000000014001634B

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: c25eac38dcb995f992205fe458d8dab7938c3d4adf6374a094264ee5461f7dec
Instruction ID: cd47141b7d78026fdc00fdad829ff1479e6926bb3c39f440062878921503200c
Opcode Fuzzy Hash: c25eac38dcb995f992205fe458d8dab7938c3d4adf6374a094264ee5461f7dec
Instruction Fuzzy Hash: E0115E36A01A40C6FB66DF27F8543A863A0F758BE4F980215FB6A0B2B5CB39C955C700

Function 000001FE8FADCAB0 Relevance: 6.0, APIs: 4, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001FE8FADC7A0: free.LIBCMT ref: 000001FE8FADC809

HeapDestroy.KERNEL32 ref: 000001FE8FADCADC
HeapCreate.KERNEL32 ref: 000001FE8FADCAED
free.LIBCMT ref: 000001FE8FADCAFF
HeapDestroy.KERNEL32 ref: 000001FE8FADCB22

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$Destroyfree$Create
String ID:
API String ID: 2478812866-0
Opcode ID: 0a4b86de96d23adba954d842b9e5b68399cc0f510354a5343c41260661051d6d
Instruction ID: 5a00c20c43c5f53510d8a5e8125813b0ece0219b642d085caf205d7da4caa26a
Opcode Fuzzy Hash: 0a4b86de96d23adba954d842b9e5b68399cc0f510354a5343c41260661051d6d
Instruction Fuzzy Hash: E4015E36211B8185EB45AF70E45026973A4FB44FF8F644724DF5A472B8CF38C891C650

Function 000001FE8FAE3F6C Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001FE8FAE3FA1
ExitThread.KERNEL32 ref: 000001FE8FAE3FA9
GetCurrentThreadId.KERNEL32 ref: 000001FE8FAE3FB0
_freefls.LIBCMT ref: 000001FE8FAE3FE1

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: 5f66bd7f545b5964a83d9e571df25c32621f8b99ae5f15c0ae7904e1522f0d0e
Instruction ID: 0d311d97ae7fbe4b66278e0fe1b7426e010659d12bb5ee0c065eee16f994fff8
Opcode Fuzzy Hash: 5f66bd7f545b5964a83d9e571df25c32621f8b99ae5f15c0ae7904e1522f0d0e
Instruction Fuzzy Hash: EB011935210F8745EB047B71D4697FD23E9AB08BE4F2848B49B4D4B3A6FE2584068320

Function 000000014000C458 Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014000C48D
ExitThread.KERNEL32 ref: 000000014000C495
GetCurrentThreadId.KERNEL32 ref: 000000014000C49C
_freefls.LIBCMT ref: 000000014000C4CD

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: f2f81f6585889129bd2191fcc95c645116c6f610b9ebac548b2344c704875f41
Instruction ID: 5d255d52c81a4e596e4553f0409be69b44d9720ffbe38365c9e265ec0aa6c932
Opcode Fuzzy Hash: f2f81f6585889129bd2191fcc95c645116c6f610b9ebac548b2344c704875f41
Instruction Fuzzy Hash: 7A0119B4612B8045EA56EB73B4597EC22A4BB1CBC4F140434BB1D5B3A3EE3684044311

Function 000001FE8FADBD60 Relevance: 6.0, APIs: 4, Instructions: 29threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000001FE8FADBD83
CreateThread.KERNEL32 ref: 000001FE8FADBDA3
WaitForSingleObject.KERNEL32 ref: 000001FE8FADBDAF
Sleep.KERNEL32 ref: 000001FE8FADBDBA

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CreateThread$ObjectSingleSleepWait
String ID:
API String ID: 1183137808-0
Opcode ID: 2b652301547513394443e9f97cfd61dfc27d7781a9a24f35fd08fa08d1a6b0cc
Instruction ID: e6b3651a5e78e668710784757de109a0d9b7a09c8a5f5057f928e79280fe48df
Opcode Fuzzy Hash: 2b652301547513394443e9f97cfd61dfc27d7781a9a24f35fd08fa08d1a6b0cc
Instruction Fuzzy Hash: 74F06271604A8282EB24AF31B8455AA77E1F7C87E8F544369DB5946674CF3CC1568604

Function 0000000140015E98 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140015E9E

Part of subcall function 000000014000E7A0: _amsg_exit.LIBCMT ref: 000000014000E7B6

_getptd.LIBCMT ref: 0000000140015EBE
_lock.LIBCMT ref: 0000000140015ED1
_amsg_exit.LIBCMT ref: 0000000140015EFF

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 7c67cffeddd678964c17013522561c9584b14d1f54746d947ace77451792012d
Instruction ID: bdc125533324197ca72332f2517a0ca58343d11622ac4bcaa2ab41edbff0b5df
Opcode Fuzzy Hash: 7c67cffeddd678964c17013522561c9584b14d1f54746d947ace77451792012d
Instruction Fuzzy Hash: 81F01775602140C2FA5ABB63D841BE822A1AB9CB81F4C0538FB1C4F3F2DB35C954D311

Function 00007FF665BB2B80 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF665BB2BE4
GetLongPathNameW.KERNEL32 ref: 00007FF665BB2C09

Strings

C:/tmp, xrefs: 00007FF665BB2D8F

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Path$LongNameTemp
String ID: C:/tmp
API String ID: 730912879-4167066228
Opcode ID: 83439be4317a1c61e43b9cbe7d8e863dedc4cfdc833063ea0791e58a1257d570
Instruction ID: 5acc4af8bd60c0fdbd8faedb876fb2d424d95bb373b6cb8d717767ed85dce685
Opcode Fuzzy Hash: 83439be4317a1c61e43b9cbe7d8e863dedc4cfdc833063ea0791e58a1257d570
Instruction Fuzzy Hash: 3F919372608A41C6E7609F15D8A2269B3B0FB8AF94F544231DA5DCB7A8DF7DDC42CB40

Function 00007FF665B70F00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168registryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FF665B71044

Strings

%s: RegisterClass() failed, xrefs: 00007FF665B71089
__cdecl QWindowsMessageWindowClassContext::QWindowsMessageWindowClassContext(void), xrefs: 00007FF665B71082

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ClassRegister
String ID: %s: RegisterClass() failed$__cdecl QWindowsMessageWindowClassContext::QWindowsMessageWindowClassContext(void)
API String ID: 2764894006-1290848616
Opcode ID: 70229b2911cac80b679d5468395164f5b932432c6456549db484ff30615120df
Instruction ID: 68651fcdfd6bbd4255f3aa9a3278ee366cf19c5f6423b17372bb6d27ffe29961
Opcode Fuzzy Hash: 70229b2911cac80b679d5468395164f5b932432c6456549db484ff30615120df
Instruction Fuzzy Hash: 02718332B05A41CAEB10DF79D4A11AD73B0EB49F58F548636EA1DCBAD5DE38E812C740

Function 000001FE8FAEC08C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAEC0B0

Part of subcall function 000001FE8FAE6FA8: _amsg_exit.LIBCMT ref: 000001FE8FAE6FBE

Strings

csm, xrefs: 000001FE8FAEC0DD
csm, xrefs: 000001FE8FAEC1E7

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction ID: f1ecafa01394643f58d3a5a2f44337a0f1307f2d9bdf664342a1d8a28137fefc
Opcode Fuzzy Hash: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction Fuzzy Hash: 6E51AE32204AC28AEB64BE6594603FD77E0FB45BE4F448175DB59D7BA5CB38C892CB01

Function 00007FF665C32DA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF665C32DE7

Strings

e+000, xrefs: 00007FF665C32E8C
gfff, xrefs: 00007FF665C32F09

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 0f2dbf502fb50cc3c9119360ffe868a7f7c1b9d889f18b21b2ea719df869edc6
Instruction ID: fe2a3680c0106959b455f411540164bcb36c96ff2d203ba69285791408f4abd1
Opcode Fuzzy Hash: 0f2dbf502fb50cc3c9119360ffe868a7f7c1b9d889f18b21b2ea719df869edc6
Instruction Fuzzy Hash: DE510563B187C6C6EB258B25EC523696AB1E744F90F089239D79C8BAD5CE2CEC44C740

Function 00007FF665B45F60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF665B4601B

Strings

QCoreApplication::applicationFilePath: Please instantiate the QApplication object first, xrefs: 00007FF665B45FA7
default, xrefs: 00007FF665B45F9B

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Init_thread_footer
String ID: QCoreApplication::applicationFilePath: Please instantiate the QApplication object first$default
API String ID: 1385522511-1195541078
Opcode ID: 06e3373bd0cf0de3971f7f336e6d5dd1eaadc2dca8628431f20a1437d26f4a2b
Instruction ID: e6ce401ceec409f22c9026b718d52c522a7a6775b444587adddf14e2ae68a033
Opcode Fuzzy Hash: 06e3373bd0cf0de3971f7f336e6d5dd1eaadc2dca8628431f20a1437d26f4a2b
Instruction Fuzzy Hash: 9E511C31A09A42C6EA10DF25E4926797370FB8AF90F504235DA5ECB7A9DF3CE841C740

Function 000001FE8FAD841A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE3E78: malloc.LIBCMT ref: 000001FE8FAE3E92

wsprintfW.USER32 ref: 000001FE8FAD846D
CloseHandle.KERNEL32 ref: 000001FE8FAD859C

Strings

%s_bin, xrefs: 000001FE8FAD8463

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandlemallocwsprintf
String ID: %s_bin
API String ID: 2399101171-2665034546
Opcode ID: 0a69d819fd656596b93c855f7e1b851c5acc7014e10a6c2c838e2f35afa1a01a
Instruction ID: 06668cf6e5361198fc7edba844a7c377ed070ece087ed6071a33ea630d4d70ba
Opcode Fuzzy Hash: 0a69d819fd656596b93c855f7e1b851c5acc7014e10a6c2c838e2f35afa1a01a
Instruction Fuzzy Hash: 65419EBA711BC681EB65FB26E4147F927E4E785BE4F5082A5CF1E037A2DA39C542C300

Function 00007FF665C2DC94 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF665C2DDAB
GetLastError.KERNEL32 ref: 00007FF665C2DDCD

Strings

U, xrefs: 00007FF665C2DD57

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: fd5550cb344639488e59e975bf7c83b31fce18860d2481271e35627b1b3623d5
Instruction ID: de3e9ccba7a9f326234d7c126ec7682651540645f22fac09c6cd106db78f0f22
Opcode Fuzzy Hash: fd5550cb344639488e59e975bf7c83b31fce18860d2481271e35627b1b3623d5
Instruction Fuzzy Hash: 1341B263A18A45C2DB208F25E8467A967B0FB98B84F405135EE4DCB798DF3CD842C750

Function 000000014000C60C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000C64D
_invalid_parameter_noinfo.LIBCMT ref: 000000014000C658

Strings

B, xrefs: 000000014000C689

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: f7a1271b1668ab66b4a84c5d00cf56c613d18e1254de771e68acfd2d0fc1a2bf
Instruction ID: fb9341cf0e7f3ee6dc2b95d1ae3c27e687eb38a3f2a8d88a82ca8e5383b26449
Opcode Fuzzy Hash: f7a1271b1668ab66b4a84c5d00cf56c613d18e1254de771e68acfd2d0fc1a2bf
Instruction Fuzzy Hash: 1D21A072B21B5089E726DB66A840BDD37A4B70CBE8F181126FF5953BE8DB31C441C740

Function 000001FE8FADDC70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 000001FE8FADDCA0
swscanf.LIBCMT ref: 000001FE8FADDCFD

Strings

%d.%d.%d.%d%c, xrefs: 000001FE8FADDCEE

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: swscanf
String ID: %d.%d.%d.%d%c
API String ID: 3616590096-2398565245
Opcode ID: c43af12d048c2140f8e3e2782bbf25f93f865edb1df4d58d990b40a747d97f95
Instruction ID: b55de3e9e4a68abbad513887a45ad9f27c17e84ca20836e00ccb648423a55c58
Opcode Fuzzy Hash: c43af12d048c2140f8e3e2782bbf25f93f865edb1df4d58d990b40a747d97f95
Instruction Fuzzy Hash: C911AE72715A8285FE11EB14E4513FAB3E0EB857A4F940172E78E476A5DA7DC483CB00

Function 0000000140006180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 00000001400061B0
swscanf.LIBCMT ref: 000000014000620D

Strings

%d.%d.%d.%d%c, xrefs: 00000001400061FE

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: swscanf
String ID: %d.%d.%d.%d%c
API String ID: 3616590096-2398565245
Opcode ID: db1601ccb1c388ebda55326c052e70a063839f8cce7590c3c59e541af1868db2
Instruction ID: a3aa882280f83d70abec01af91cc7078a705e13651bf993b0cd020c5afcc04f4
Opcode Fuzzy Hash: db1601ccb1c388ebda55326c052e70a063839f8cce7590c3c59e541af1868db2
Instruction Fuzzy Hash: BA11AFB2705A4581FA56CB62F4513EAB3A1EB99794F440022FB8D47AA9DF7CC582CB00

Function 000001FE8FAF7235 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001FE8FAF72F9

Strings

csm, xrefs: 000001FE8FAF72B5
csm, xrefs: 000001FE8FAF725C

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 48bc1373a0cf7fa20b60edcf05be31b4cb9f1640bae482645bfd625d32f457a4
Instruction ID: 463c08f0ec7643fdc81d8cde80602c75461da7687eb104dd68ac5986bc0899df
Opcode Fuzzy Hash: 48bc1373a0cf7fa20b60edcf05be31b4cb9f1640bae482645bfd625d32f457a4
Instruction Fuzzy Hash: FD319773500A45CAEB609F65C0843A83BB5F358BADF861365EB4D4BB68C775C891C784

Function 00007FF665BBD220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF665BBD2B2

Strings

QWaitCondition::wait: Cannot wait on recursive mutexes, xrefs: 00007FF665BBD25D
default, xrefs: 00007FF665BBD256

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ObjectSingleWait
String ID: QWaitCondition::wait: Cannot wait on recursive mutexes$default
API String ID: 24740636-2009005735
Opcode ID: 146604afdf875c87d0d0e0ef66d7f3da82025842baf9707a1a8bbcafb69421db
Instruction ID: 7a176d4bebed29e4ddb753a1f5b02f8805420cd3686cff4f55d4b1ec34687386
Opcode Fuzzy Hash: 146604afdf875c87d0d0e0ef66d7f3da82025842baf9707a1a8bbcafb69421db
Instruction Fuzzy Hash: 89118422A08B91C5DB10DB12F4A627AA371FB89FD4F444131EA8D8BB5ADF7CD855CB40

Function 000001FE8FAE6418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001FE8FAE6399
_invalid_parameter_noinfo.LIBCMT ref: 000001FE8FAE63A4

Strings

B, xrefs: 000001FE8FAE63C9

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction ID: b1c4ed8af205c8e07323f3fc22a86904fd821c1695a964eb461ec04eced09087
Opcode Fuzzy Hash: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction Fuzzy Hash: 8011B132224BC186E720AF15E5503EEB6E5F798BF4F584671AB9807BA5DF38D542CB00

Function 000001FE8FAE1130 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000001FE8FAE117D
WSAGetLastError.WS2_32 ref: 000001FE8FAE1188

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 000001FE8FAE119C

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastsend
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1802528911-4236689219
Opcode ID: 26024b8f4a6b1fc62b5e85987d6cbbeeaefd2807c977c47cb76afe576a9464f7
Instruction ID: 39b685ed7fe4742c07028f9fed5ad9f4cce3c246f884bf3f0770fa9746a07ba6
Opcode Fuzzy Hash: 26024b8f4a6b1fc62b5e85987d6cbbeeaefd2807c977c47cb76afe576a9464f7
Instruction Fuzzy Hash: D811C27270094086EB94CF2AE4847AE73F0F788BACF654124DB188B2A5DB75C8D38B40

Function 0000000140009640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000000014000968D
WSAGetLastError.WS2_32 ref: 0000000140009698

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 00000001400096AC

Memory Dump Source

Source File: 00000000.00000002.1939508015.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1939492195.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939526748.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939540751.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1939554398.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastsend
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1802528911-4236689219
Opcode ID: 0e45df35e4add629027d2dbd4533ad86ad3e6d2f14b6c7cbbb9db694f1680240
Instruction ID: 7da57c49a633c925aba81d23fd4dacce9c0a132b2f84759fbf73eb3e93c5cd4f
Opcode Fuzzy Hash: 0e45df35e4add629027d2dbd4533ad86ad3e6d2f14b6c7cbbb9db694f1680240
Instruction Fuzzy Hash: 40118EB261060086EB51CF2AF48479E73B1F79CB9CF654121EB188B6A5CB76C8D38F40

Function 000001FE8FAF7335 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 000001FE8FAE5D74: _getptd.LIBCMT ref: 000001FE8FAE5D81
Part of subcall function 000001FE8FAE5D74: _getptd.LIBCMT ref: 000001FE8FAE5D94

_getptd.LIBCMT ref: 000001FE8FAF7396
_getptd.LIBCMT ref: 000001FE8FAF73A9

Strings

csm, xrefs: 000001FE8FAF7355

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 110644245a712163c931d5ba1d41ab16cc3e499cf3e1aabacc1b7c0560f8ec51
Instruction ID: 6c673d9a612122c5ac6e0559fe0a6cff5da2373df45d4238f4704cb8d0e1611c
Opcode Fuzzy Hash: 110644245a712163c931d5ba1d41ab16cc3e499cf3e1aabacc1b7c0560f8ec51
Instruction Fuzzy Hash: 37014832141A82CAEB70BF21D8507FC23E5E758BA9F5803B5DF094E6A6DB30C882C300

Function 00007FF665B69EF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?,?,?,?,00007FF665B69E8E), ref: 00007FF665B69F13

Strings

default, xrefs: 00007FF665B69F2E
QMutexData::QMutexData: Cannot create event, xrefs: 00007FF665B69F35

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: CreateEvent
String ID: QMutexData::QMutexData: Cannot create event$default
API String ID: 2692171526-3883557714
Opcode ID: 7e7d644c09d99a5a6c3be016508522d6b6355ef5b7fdc0e416c337ea6e263274
Instruction ID: 82c86bee046618b2333aabd70950d7876ead807d57afff4e2ad9344ab7db2acf
Opcode Fuzzy Hash: 7e7d644c09d99a5a6c3be016508522d6b6355ef5b7fdc0e416c337ea6e263274
Instruction Fuzzy Hash: 05F04433A09B81C1EB108F25F44276AB7B0FB98B48F648135E68D46755DF7CD591CB40

Function 00007FF665C31574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF665C3159D
TlsSetValue.KERNEL32(?,?,?,00007FF665C327EA,?,?,?,00007FF665C28CFD,?,?,?,?,00007FF665B784A7), ref: 00007FF665C315B4

Strings

FlsSetValue, xrefs: 00007FF665C3158A

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 0ba6b372cb4a2b199900795e9c6c51c8a2dfea35c9e952b3c7edfe421b932056
Instruction ID: 5ad7ff7278c7f1f400e57f5a1e60bbda555c0eee0e5fc02e13bcd60af7d27f5c
Opcode Fuzzy Hash: 0ba6b372cb4a2b199900795e9c6c51c8a2dfea35c9e952b3c7edfe421b932056
Instruction Fuzzy Hash: 61E09B62A08606D5EB044B55F4428F43332AF48F80F485239D54E8E395CE3CED84C705

Function 000001FE8FAD1870 Relevance: 5.1, APIs: 4, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000001FE8FAD18EE
VirtualFree.KERNEL32 ref: 000001FE8FAD1928
VirtualAlloc.KERNEL32 ref: 000001FE8FAD1995
VirtualFree.KERNEL32 ref: 000001FE8FAD19CF

Part of subcall function 000001FE8FAD1A80: send.WS2_32 ref: 000001FE8FAD1AE3
Part of subcall function 000001FE8FAD1A80: send.WS2_32 ref: 000001FE8FAD1B30

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFreesend
String ID:
API String ID: 2354595252-0
Opcode ID: 42f920e62df292d262b0744aa4ce6eb943c302377280a50c8d6856371cde3bb9
Instruction ID: aee9273d34a2db8e4f37fbd0d990230d9b76e1069c0adb789dbb13b2e0e37a9c
Opcode Fuzzy Hash: 42f920e62df292d262b0744aa4ce6eb943c302377280a50c8d6856371cde3bb9
Instruction Fuzzy Hash: 3E516076300B8187E715EB2AF4506AEB7E5F784BD8F104225DB8A97B64DF78E446C700

Function 000001FE8FAD2290 Relevance: 5.1, APIs: 4, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 000001FE8FAD230E
VirtualFree.KERNEL32 ref: 000001FE8FAD2348
VirtualAlloc.KERNEL32 ref: 000001FE8FAD23B5
VirtualFree.KERNEL32 ref: 000001FE8FAD23EF

Memory Dump Source

Source File: 00000000.00000002.1940106537.000001FE8FAD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FE8FAD0000, based on PE: true

Associated: 00000000.00000002.1940106537.000001FE8FB0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fe8fad0000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c644452f85baab6451ec69b31673ecdda31e611098b1083b8dabd6bbc09c8c61
Instruction ID: 0d6c599ea72ba095e331174377eb10fa3a908310e6eee88f719de0bc653c3fcd
Opcode Fuzzy Hash: c644452f85baab6451ec69b31673ecdda31e611098b1083b8dabd6bbc09c8c61
Instruction Fuzzy Hash: D9515076200B8187E715EB2AF4406AEB7E5F784BD4F108265DB8A97B64DB7CE486C700

Function 00007FF665B44410 Relevance: 5.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF665B4444E
IsBadReadPtr.KERNEL32 ref: 00007FF665B44544
SetLastError.KERNEL32(?,?,00000000,00000000,?,00007FF665B44A90), ref: 00007FF665B44566
SetLastError.KERNEL32(?,?,00000000,00000000,?,00007FF665B44A90), ref: 00007FF665B44584

Memory Dump Source

Source File: 00000000.00000002.1940266769.00007FF665B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF665B40000, based on PE: true

Associated: 00000000.00000002.1940253641.00007FF665B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665C46000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940332962.00007FF665D7B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DB8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940441501.00007FF665DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1940478430.00007FF665DFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff665b40000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 6a69c7bdf01cc1d2336885ad907c5f05680f579d0beabb65993b657d56b6f43c
Instruction ID: 2f655e583e4e2663031b59628d846dd37474ba32f96031b0f05d1db47ad79c6f
Opcode Fuzzy Hash: 6a69c7bdf01cc1d2336885ad907c5f05680f579d0beabb65993b657d56b6f43c
Instruction Fuzzy Hash: F7416A36A09A81C6EF248F15E01563923B5FB49F98F054439DE9E8B798EF78E864C700

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report quHmbPnLFV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_quHmbPnLFV.exe_ff65ec9a547faaab72fb38c58ef38a8d91f5916e_af65133f_54b19cd4-1e5b-4af4-9f7a-9955a068d1c9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC782.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC88D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8AD.tmp.xml

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
quHmbPnLFV.exe

Function 000001FE8FAD2B00 Relevance: 77.4, APIs: 30, Strings: 14, Instructions: 365
stringnetworklibraryCOMMON

Function 000001FE8FADB9A0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
sleepsynchronizationtimeCOMMON

Function 00007FF665B44610 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 354
memorylibraryloaderCOMMON

Function 000001FE8FAD4900 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133
registrystringCOMMON

Function 00007FF665B43FB0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79
encryptionCOMMON

Function 000001FE8FAD4D10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Function 000001FE8FAD14F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Function 00000001400014F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Function 00000001400041B0 Relevance: 16.5, APIs: 11, Instructions: 43
threadsleepsynchronizationCOMMON

Function 000001FE8FAD4770 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87
COMMON

Function 000001FE8FAD3830 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 70
synchronizationsleepstringCOMMON

Function 0000000140003AC0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Function 000001FE8FAE0FD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Function 00000001400094E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF665B49920 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176
libraryloaderCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre