Edit tour

Windows Analysis Report
quHmbPnLFV.exe

Overview

General Information

Sample name:	quHmbPnLFV.exe renamed because original name is a hash value
Original sample name:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa.exe
Analysis ID:	1582216
MD5:	e4a3903deccb9128673c052ca0a31080
SHA1:	326c8a7f863a9a7c3f6135a6a916168bea68b1be
SHA256:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa
Tags:	backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GhostRat

AI detected suspicious sample

Contain functionality to detect virtual machines

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

quHmbPnLFV.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\quHmbPnLFV.exe" MD5: E4A3903DECCB9128673C052CA0A31080)

WerFault.exe (PID: 5000 cmdline: C:\Windows\system32\WerFault.exe -u -p 6816 -s 1376 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: quHmbPnLFV.exe PID: 6816	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: quHmbPnLFV.exe

Virustotal: Detection: 11%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F7313FB0 CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,

0_2_00007FF7F7313FB0

Source: quHmbPnLFV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F7380B00 FindFirstFileW,FindClose,

0_2_00007FF7F7380B00

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 206.238.220.204:6666

Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204
Source: unknown	TCP traffic detected without corresponding DNS query: 206.238.220.204

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB81750 select,recv,

0_2_0000026C9CB81750

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB8C1B0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,lstrlenW,wsprintfW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,

0_2_0000026C9CB8C1B0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

0_2_0000026C9CB8C1B0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB88FC0 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,

0_2_0000026C9CB88FC0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB8BDD0 SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,

0_2_0000026C9CB8BDD0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F7381B50: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00007FF7F7381B50

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB88997 GetModuleFileNameW,GetCommandLineW,GetStartupInfoW,CreateProcessW,ExitProcess,ExitProcess,ExitWindowsEx,	0_2_0000026C9CB88997
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB88A4E ExitWindowsEx,	0_2_0000026C9CB88A4E
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB88A2D ExitWindowsEx,	0_2_0000026C9CB88A2D

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB82B00	0_2_0000026C9CB82B00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8B480	0_2_0000026C9CB8B480
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB814F0	0_2_0000026C9CB814F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8C1B0	0_2_0000026C9CB8C1B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB9D160	0_2_0000026C9CB9D160
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA4288	0_2_0000026C9CBA4288
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB85280	0_2_0000026C9CB85280
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA3A24	0_2_0000026C9CBA3A24
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB85A10	0_2_0000026C9CB85A10
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB921F0	0_2_0000026C9CB921F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB83A60	0_2_0000026C9CB83A60
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB97B8C	0_2_0000026C9CB97B8C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA5378	0_2_0000026C9CBA5378
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB98B00	0_2_0000026C9CB98B00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB862F0	0_2_0000026C9CB862F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB89B40	0_2_0000026C9CB89B40
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB9EC80	0_2_0000026C9CB9EC80
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8CBF0	0_2_0000026C9CB8CBF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8BDD0	0_2_0000026C9CB8BDD0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB9FD10	0_2_0000026C9CB9FD10
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8F650	0_2_0000026C9CB8F650
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA6770	0_2_0000026C9CBA6770
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB9C7E0	0_2_0000026C9CB9C7E0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB88FC0	0_2_0000026C9CB88FC0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB97F58	0_2_0000026C9CB97F58
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB898D0	0_2_0000026C9CB898D0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB85820	0_2_0000026C9CB85820
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7314610	0_2_00007FF7F7314610
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7408770	0_2_00007FF7F7408770
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73FD588	0_2_00007FF7F73FD588
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7368500	0_2_00007FF7F7368500
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7403340	0_2_00007FF7F7403340
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73FA3D8	0_2_00007FF7F73FA3D8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73333A0	0_2_00007FF7F73333A0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F733B240	0_2_00007FF7F733B240
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73FA144	0_2_00007FF7F73FA144
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73461B0	0_2_00007FF7F73461B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7350050	0_2_00007FF7F7350050
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F732FE70	0_2_00007FF7F732FE70
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7330B50	0_2_00007FF7F7330B50
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7381B50	0_2_00007FF7F7381B50
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73F5BE4	0_2_00007FF7F73F5BE4
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7396BF0	0_2_00007FF7F7396BF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7342C00	0_2_00007FF7F7342C00
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7408B9C	0_2_00007FF7F7408B9C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7400ACC	0_2_00007FF7F7400ACC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7350970	0_2_00007FF7F7350970
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F7402934	0_2_00007FF7F7402934
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F740A9D8	0_2_00007FF7F740A9D8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F732B9B0	0_2_00007FF7F732B9B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400041B0	0_2_00000001400041B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400014F0	0_2_00000001400014F0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001BFE8	0_2_000000014001BFE8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001D06C	0_2_000000014001D06C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140005100	0_2_0000000140005100
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400101E0	0_2_00000001400101E0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140003310	0_2_0000000140003310
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140007B60	0_2_0000000140007B60
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000F38C	0_2_000000014000F38C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140002D20	0_2_0000000140002D20
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001364C	0_2_000000014001364C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001A698	0_2_000000014001A698
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400166B0	0_2_00000001400166B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000F6D4	0_2_000000014000F6D4
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014001AEFC	0_2_000000014001AEFC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000A700	0_2_000000014000A700
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140013FCC	0_2_0000000140013FCC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB4F121	0_2_0000026C9CB4F121
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB48A91	0_2_0000026C9CB48A91
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB493A1	0_2_0000026C9CB493A1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB454E1	0_2_0000026C9CB454E1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB425D1	0_2_0000026C9CB425D1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB44D51	0_2_0000026C9CB44D51
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB43531	0_2_0000026C9CB43531
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB4C6C1	0_2_0000026C9CB4C6C1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB5765D	0_2_0000026C9CB5765D
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB40FC1	0_2_0000026C9CB40FC1
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB4AF51	0_2_0000026C9CB4AF51
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB5E751	0_2_0000026C9CB5E751
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB4B8A1	0_2_0000026C9CB4B8A1

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: String function: 00007FF7F731D680 appears 62 times

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6816 -s 1376

Source: quHmbPnLFV.exe

Binary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/6@0/2

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F7319F50 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7F7319F50

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB851C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	0_2_0000026C9CB851C0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB856A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_0000026C9CB856A0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB85040 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,OpenProcess,	0_2_0000026C9CB85040

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84770 GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,swprintf,swprintf,

0_2_0000026C9CB84770

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB83970 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0000026C9CB83970

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84B60 lstrlenW,CoInitialize,CoInitializeEx,CoCreateInstance,swprintf,

0_2_0000026C9CB84B60

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Mutant created: \Sessions\1\BaseNamedObjects\2024. 9. 2
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6816

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1f72d731-1349-4372-ab54-c6fe9b5eff46

Jump to behavior

Source: quHmbPnLFV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: quHmbPnLFV.exe

Virustotal: Detection: 11%

Source: quHmbPnLFV.exe	String found in binary or memory: Africa/Addis_Ababa
Source: quHmbPnLFV.exe	String found in binary or memory: in-addr.arpa
Source: quHmbPnLFV.exe	String found in binary or memory: gaviika.notattoofg.itkonan.shiga.jpoff.aicountrydevrn.itsamukawa.kanagawa.jpbaiduport.frcarbonia-iglesias.itmiyoshi.tokushima.jptabuse.yamaguchi.jpsosnowiec.pladultin-addr.arpagran.nogob.paserveftp.orghidaka.hokkaido.jpnesseby.nosatosho.okayama.jpgob.peflightsandriabarlettatrani.itnagato.yamaguchi.jphostnes.akershus.nogob.pkdvrdns.orgmiyota.nagano.jpembroidery.museumkarasjohka.nofrom-ky.comtrieste.itashoro.hokkaido.jpdealersaigawa.fukuoka.jpspiegelatlanta.museumromskog.nol

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File read: C:\Users\user\Desktop\quHmbPnLFV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\quHmbPnLFV.exe "C:\Users\user\Desktop\quHmbPnLFV.exe"
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6816 -s 1376

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Section loaded: dxcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7B70EE0-4340-11CF-B063-0020AFC2CD35}\InprocServer32

Jump to behavior

Source: quHmbPnLFV.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: quHmbPnLFV.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: quHmbPnLFV.exe

Static file information: File size 2835456 > 1048576

Source: quHmbPnLFV.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x104c00
Source: quHmbPnLFV.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x171600

Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: quHmbPnLFV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: quHmbPnLFV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: quHmbPnLFV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: quHmbPnLFV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84D10 LoadLibraryW,GetProcAddress,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_0000026C9CB84D10

Source: quHmbPnLFV.exe

Static PE information: section name: .gehcont

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA88F2 push rbp; retf	0_2_0000026C9CBA8A04
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA8868 push rbp; retf	0_2_0000026C9CBA8A04
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA8848 push rbp; retf	0_2_0000026C9CBA8A04

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB88933 OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_0000026C9CB88933

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: C:\Program Files\VMware\VMware Tools\ VMware

0_2_0000026C9CB84F20

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-76491

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-74979

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-75418

Source: C:\Users\user\Desktop\quHmbPnLFV.exe TID: 6860	Thread sleep time: -50000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe TID: 2564	Thread sleep time: -50000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F7380B00 FindFirstFileW,FindClose,

0_2_00007FF7F7380B00

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84900 RegOpenKeyExW,RegQueryValueExW,lstrcmpW,RegQueryValueExW,lstrcpyW,RegQueryValueExW,GetSystemInfo,wsprintfW,lstrcpyW,lstrcpyW,RegCloseKey,RegCloseKey,

0_2_0000026C9CB84900

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: quHmbPnLFV.exe, 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware\VMware Tools\
Source: quHmbPnLFV.exe, 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ~/%s%d/None/%sHDD:%dWW %d Gb Free %d Gb Mem: %d Gb %sFree%d Gb %s-%d8herrorDriverDescSYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000%s >fX[:%d MGetNativeSystemInfontdll.dllRtlGetNtVersionNumbers%d.%d.%dSOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameC:\Program Files\VMware\VMware Tools\VMwareSeDebugPrivilegeNtSetInformationProcessNtDll.dllWindows\System32\svchost.exe%s%sOpenProcessKernel32.dllExitProcessWinExecWaitForSingleObjectwininet.dllInternetOpenWMSIE 6.0InternetOpenUrlWInternetReadFileInternetCloseHandleinvalid string positionstring too long
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: quHmbPnLFV.exe, 00000000.00000002.2236303982.0000026C9AB8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	API call chain: ExitProcess graph end node			graph_0-75147
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	API call chain: ExitProcess graph end node			graph_0-74872

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB96968 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0000026C9CB96968

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84D10 LoadLibraryW,GetProcAddress,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,

0_2_0000026C9CB84D10

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB841F0 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,

0_2_0000026C9CB841F0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB96968 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000026C9CB96968
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB8B480 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,Sleep,SleepEx,EnumWindows,Sleep,EnumWindows,CreateEventA,Sleep,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,	0_2_0000026C9CB8B480
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CBA8270 SetUnhandledExceptionFilter,	0_2_0000026C9CBA8270
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB93A20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000026C9CB93A20
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73F7648 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7F73F7648
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00007FF7F73F160C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F73F160C
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400041B0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00000001400041B0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000E2F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014000E2F8
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_00000001400112FC SetUnhandledExceptionFilter,	0_2_00000001400112FC
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_000000014000BF30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014000BF30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB85280 GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_0000026C9CB85280

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

0_2_0000026C9CB85280

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: GetSystemDirectoryA,CreateProcessA,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_0000026C9CB85280

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB84140 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0000026C9CB84140

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetSystemInfo,wsprintfW,GetLocalTime,wsprintfW,GetLocaleInfoW,EnumDisplayMonitors,swprintf,swprintf,lstrcatW,GetSystemDirectoryW,GetCurrentHwProfileW,

0_2_0000026C9CB82B00

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB8B9A0 Sleep,GetLocalTime,wsprintfW,Sleep,SleepEx,EnumWindows,Sleep,EnumWindows,Sleep,SleepEx,CreateEventA,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,

0_2_0000026C9CB8B9A0

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_00007FF7F73FA3D8 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7F73FA3D8

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Code function: 0_2_0000026C9CB995AC HeapCreate,GetVersion,HeapSetInformation,

0_2_0000026C9CB995AC

Source: C:\Users\user\Desktop\quHmbPnLFV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: quHmbPnLFV.exe	Binary or memory string: acs.exe
Source: quHmbPnLFV.exe	Binary or memory string: vsserv.exe
Source: quHmbPnLFV.exe	Binary or memory string: avcenter.exe
Source: quHmbPnLFV.exe	Binary or memory string: kxetray.exe
Source: quHmbPnLFV.exe	Binary or memory string: avp.exe
Source: quHmbPnLFV.exe	Binary or memory string: cfp.exe
Source: quHmbPnLFV.exe	Binary or memory string: KSafeTray.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360Safe.exe
Source: quHmbPnLFV.exe	Binary or memory string: rtvscan.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360tray.exe
Source: quHmbPnLFV.exe	Binary or memory string: ashDisp.exe
Source: quHmbPnLFV.exe	Binary or memory string: TMBMSRV.exe
Source: quHmbPnLFV.exe	Binary or memory string: 360Tray.exe
Source: quHmbPnLFV.exe	Binary or memory string: avgwdsvc.exe
Source: quHmbPnLFV.exe	Binary or memory string: AYAgent.aye
Source: quHmbPnLFV.exe	Binary or memory string: RavMonD.exe
Source: quHmbPnLFV.exe	Binary or memory string: QUHLPSVC.EXE
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe
Source: quHmbPnLFV.exe	Binary or memory string: Mcshield.exe
Source: quHmbPnLFV.exe	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: quHmbPnLFV.exe PID: 6816, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: quHmbPnLFV.exe PID: 6816, type: MEMORYSTR

Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000026C9CB90EF0 htons,bind,		0_2_0000026C9CB90EF0
Source: C:\Users\user\Desktop\quHmbPnLFV.exe	Code function: 0_2_0000000140009400 htons,bind,		0_2_0000000140009400

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	2 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	17 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Indicator Removal	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
quHmbPnLFV.exe	8%	ReversingLabs	Win32.Backdoor.GhostRAT
quHmbPnLFV.exe	11%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.238.220.204	unknown	United States		174	COGENT-174US	false

Private

IP
192.168.1.2

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582216
Start date and time:	2024-12-30 03:57:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	quHmbPnLFV.exe renamed because original name is a hash value
Original Sample Name:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/6@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 60 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.68, 4.175.87.197, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	154.44.130.212
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	154.22.1.136
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	38.237.101.164
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	38.142.152.46
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	38.53.96.152
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	38.34.88.62
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	206.42.118.144
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	38.168.204.186
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	38.236.228.40

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_quHmbPnLFV.exe_ff65ec9a547faaab72fb38c58ef38a8d91f5916e_af65133f_d5edd506-a81f-48b8-a842-c164e9d57838\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0637444992487894
Encrypted:	false
SSDEEP:	192:6FC5/4MZ90hT88SjjZtXpZFQ2wzuiFTZ24lO8Q:cy/4MAho8SjZwzuiFTY4lO8Q
MD5:	1420947A2B80C59C904B3159A42ED778
SHA1:	A6793D8C75474CF71668D1979DCA910C29615A0C
SHA-256:	9FACD4B3CA639AF0A670C5928203CAE6F27A5E56CB85FF22A42857783502C300
SHA-512:	BB3D95660226521D76983942AAD0DC7E645C2723A75672B933ADE4233D945F811400176AC4AF46EBA66516A49B93CE7D1F802A61927AC883FF9D96FF2AFEE2D4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.0.0.1.1.1.4.8.5.4.0.2.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.0.0.1.1.1.5.4.8.8.0.3.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.e.d.d.5.0.6.-.a.8.1.f.-.4.8.b.8.-.a.8.4.2.-.c.1.6.4.e.9.d.5.7.8.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.4.6.5.e.8.c.-.4.5.7.1.-.4.3.c.f.-.9.e.0.8.-.b.8.b.9.2.3.4.c.a.e.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.q.u.H.m.b.P.n.L.F.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.0.-.0.0.0.1.-.0.0.1.4.-.b.3.c.a.-.7.7.b.2.6.6.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.5.5.3.d.3.c.5.e.c.0.1.a.7.5.9.a.9.0.a.0.b.8.3.3.3.d.0.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.3.2.6.c.8.a.7.f.8.6.3.a.9.a.7.c.3.f.6.1.3.5.a.6.a.9.1.6.1.6.8.b.e.a.6.8.b.1.b.e.!.q.u.H.m.b.P.n.L.F.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.0.2.:.2.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FC8.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Dec 30 02:58:35 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	209400
Entropy (8bit):	1.8254116955934527
Encrypted:	false
SSDEEP:	768:sqNLroZLsiI76Wgkpsa/sfe6koIBmU9R5LgN14SGbLEq:7rqwi/Lk6acfIBP9/LGGb4q
MD5:	8154150080A3759B8B88FF68E1797901
SHA1:	0F8D0BA02FA68AA6B04AD9CD35210842F262A054
SHA-256:	692507F76A323B1BEE05FB6CBAF647F312FF80A32F5CDD13E0E6702EBFE03CA7
SHA-512:	14660121196FE1F27EAF9A69CF6B0CA5CDAA1130A932C52161A2AD74F11CD89C59859FAB1FA66878BCB47C2E13BDDF18F86ED391E51D9A4FC8D7BAC85A813670
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......[.rg............D...............d.......$...h$...........$......................l.......8...........T...........(3..............4B.......... D..............................................................................eJ.......D......Lw......................T...........R.rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7150.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8854
Entropy (8bit):	3.7033850047430286
Encrypted:	false
SSDEEP:	192:R6l7wVeJp8q6Y9eCPgmfyUJxgprO89bHkKfYNm:R6lXJyq6YECPgmfy40HJf/
MD5:	B01ED31E0AFE53A18756A75ACDA8FE18
SHA1:	CB59856BC471C900AEF76D3292D712CE2A2A04B6
SHA-256:	CB884BB7DFF1779B84002F95F8AD5E5D9099C2673077C22B41AEB5D7B5FDD2D4
SHA-512:	615CEA24693993C09AA1471164F94DC4B87AD0A61633DB1F015011EDDF6C9FF95E3D54EFDD6954F25E14BE3BAE7914400A7CCB17B5581AFCA135379643AD3CC4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7180.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4796
Entropy (8bit):	4.483793217998207
Encrypted:	false
SSDEEP:	48:cvIwWl8zsosJg771I9UvWpW8VY9Ym8M4JTwFFiyq8v0x1w2b/fd:uIjfJI7j+7VhJTXWI1w2jfd
MD5:	541CA126C9BCCD2C6E7A4A4BD5837D1C
SHA1:	C0FC0C93A776167F9E84BB59A40FA1E95C8436F0
SHA-256:	4B2FB3E857D890DADD1B591D129B4C2BE5B99A6BC7EDC9C7BE41D48753D5836E
SHA-512:	77ACE87C73E26229F4EC79AA698CF6AC83FD54BBF8DC25654F49312665AF1AEDC01907593BE63FF6118B134C79817B8D92463E4F6B055A20C98FBDD838E2D22C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653401" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\quHmbPnLFV.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4656131221068485
Encrypted:	false
SSDEEP:	6144:rIXfpi67eLPU9skLmb0b4aWSPKaJG8nAgejZMMhA2gX4WABl0uN+dwBCswSbt:sXD94aWlLZMM6YFHw+t
MD5:	C6C4F2AEF99D63713DD9CBF1DD52E688
SHA1:	44DC3459A03EF3E9E1CC420E412937754C2B66F6
SHA-256:	A4E513091613F12FD9F9500EEDA94683E8E09923F85DB56C4B1CE5A51E932C58
SHA-512:	12F21DE5DEB264FD5E17D6DBAD7331B805BBD7B42EF31314BE2BF1563FFF0064EFFB655A731EDB207393F7312444ECD9ECC8263604D68A7696933BA9F3C0E620
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*...fZ...............................................................................................................................................................................................................................................................................................................................................b..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.639658770449267
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	quHmbPnLFV.exe
File size:	2'835'456 bytes
MD5:	e4a3903deccb9128673c052ca0a31080
SHA1:	326c8a7f863a9a7c3f6135a6a916168bea68b1be
SHA256:	ee5c76835a63d4656886ab1f9755ee84b7311394bd2ec83e8c8c4170dc48e3aa
SHA512:	ab8b0f92a863c348c6819ba0f7cbc0b7d3669118c9646b239e542cc82768c7685e4326cb113561de23bf5aba5d539be3fdab6c212794ba4894011c40022bcbb2
SSDEEP:	49152:nKAtKQ+IgK2jItFcJsv6tWKFdu9C4FwPg0u7vTPQnWCLZgZ3YPmWjZ5RPpA4Jtuv:n9BFcJsv6tWKFdu9C9yvSWkUh
TLSH:	07D57B06B7A54164E9F7C13D49A3D296E6727C868B229ADF126CBB1D3D332F0193B311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............r...r...r.......r......<r.......r.......r.......r...,...r...,...r.......r.......r.......r...r..^r..;....r..;....r..;....r.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400e0cd4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D63D8D [Mon Sep 2 22:34:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ec2055fdb052a446adb6979fb0ed0eab

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2354C9BE10h
dec eax
add esp, 28h
jmp 00007F2354C9B0B7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
jmp 00007F2354C9B251h
dec eax
mov ecx, ebx
call 00007F2354CAAF3Ah
test eax, eax
je 00007F2354C9B255h
dec eax
mov ecx, ebx
call 00007F2354CA1B7Eh
dec eax
test eax, eax
je 00007F2354C9B229h
dec eax
add esp, 20h
pop ebx
ret
dec eax
cmp ebx, FFFFFFFFh
je 00007F2354C9B248h
call 00007F2354C9C1F0h
int3
call 00007F2354C9C20Ah
int3
jmp 00007F2354BD8ECCh
int3
int3
int3
jmp 00007F2354C9B1FCh
int3
int3
int3
dec eax
sub esp, 28h
call 00007F2354C9C38Ch
test eax, eax
je 00007F2354C9B263h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F2354C9B247h
dec eax
cmp ecx, eax
je 00007F2354C9B256h
xor eax, eax
dec eax
cmpxchg dword ptr [001CAC78h], ecx
jne 00007F2354C9B230h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F2354C9B239h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [001CAC63h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [001CAC53h], al
call 00007F2354C9C1BBh
call 00007F2354C9D75Ah
test al, al
jne 00007F2354C9B246h

Rich Headers

Programming Language:

[ C ] VS2015 UPD3.1 build 24215
[C++] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x275bc0	0x428	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x275fe8	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2ba000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2ad000	0xb874	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2bb000	0x1738	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2558d0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x255a10	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x255910	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x106000	0x5f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104afb	0x104c00	c84d40d1f469072f57a689e738938f87	False	0.4515520134228188	data	6.42377635279018	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x106000	0x171426	0x171600	b3565b4a69ad63ff5f0bccae2be1aeb9	False	0.4485690302453469	data	6.12092587750584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x278000	0x34cf8	0x30600	eaf56cb727f7c173a8525299caf11fab	False	0.9167877906976745	data	7.769789455373511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2ad000	0xb874	0xba00	cf779a23130b6ed874a178e9a6439f89	False	0.49380460349462363	data	6.05031206526366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gehcont	0x2b9000	0x14	0x200	0b1a7acc4da92921e25ea6fbe01d58f0	False	0.048828125	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2ba000	0x2f0	0x400	0bb6439b754faf94f529f9817d706a2f	False	0.4033203125	data	4.3014032271203595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2bb000	0x1738	0x1800	b78a8906569a1ced329731d1563785d5	False	0.3839518229166667	data	5.389524742252251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2ba060	0x289	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5500770416024653

Imports

DLL	Import
KERNEL32.dll	IsBadReadPtr, FreeLibrary, GetModuleHandleW, GetCommandLineW, GetCurrentProcessId, LocalFree, VerSetConditionMask, GetLastError, GetVersionExW, FormatMessageW, VerifyVersionInfoW, OutputDebugStringW, GetConsoleWindow, CompareStringW, GetUserDefaultLCID, GetStartupInfoW, GetModuleFileNameW, SetEvent, WaitForSingleObject, CreateEventW, DuplicateHandle, WaitForMultipleObjects, GetCurrentProcess, CreateThread, GetCurrentThread, GetCurrentThreadId, SetThreadPriority, GetThreadPriority, TerminateThread, ResumeThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemInfo, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount, WaitForSingleObjectEx, GetSystemDirectoryW, LoadLibraryW, GetSystemTime, GetLocalTime, CreateFileW, GetFileAttributesExW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindClose, FindFirstFileW, GetFileAttributesW, GetFileInformationByHandle, GetFullPathNameW, GetLogicalDrives, GetLongPathNameW, RemoveDirectoryW, GetTempPathW, SetErrorMode, DeviceIoControl, CopyFileW, MoveFileW, GetProcessHeap, FileTimeToSystemTime, FlushFileBuffers, GetFileType, ReadFile, SetEndOfFile, SetFilePointerEx, WriteFile, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, MoveFileExW, ResetEvent, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, GetCurrencyFormatW, GetUserDefaultUILanguage, MultiByteToWideChar, WideCharToMultiByte, FindFirstFileExW, FindNextFileW, GetTimeZoneInformation, GetGeoInfoW, GetUserGeoID, ReleaseMutex, CreateMutexW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, RtlPcToFileHeader, RaiseException, EncodePointer, LoadLibraryExW, GetCommandLineA, ExitProcess, GetModuleHandleExW, ExitThread, FreeLibraryAndExitThread, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, SetFileAttributesW, SetStdHandle, GetStdHandle, LCMapStringW, HeapReAlloc, SetEnvironmentVariableW, GetCPInfo, GetFileSizeEx, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, WriteConsoleW, HeapSize, GetProcAddress, HeapAlloc, GetNativeSystemInfo, LoadLibraryA, VirtualAlloc, VirtualFree, SetLastError, HeapFree, VirtualProtect, SystemTimeToTzSpecificLocalTime, CloseHandle
ADVAPI32.dll	OpenProcessToken, FreeSid, GetLengthSid, GetTokenInformation, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, CopySid, RegQueryInfoKeyW, RegQueryValueExW, CryptDestroyKey, CryptReleaseContext, CryptDestroyHash, CryptHashData, CryptDeriveKey, CryptCreateHash, CryptDecrypt, CryptAcquireContextW
WS2_32.dll	WSAAsyncSelect
USER32.dll	CharNextExA, CallNextHookEx, KillTimer, SetTimer, MsgWaitForMultipleObjectsEx, GetQueueStatus, UnhookWindowsHookEx, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, PostMessageW, PeekMessageW, DispatchMessageW, TranslateMessage, SetWindowLongPtrW, SetWindowsHookExW, DestroyWindow, GetWindowLongPtrW
SHELL32.dll	SHGetSpecialFolderPathW
ole32.dll	CoCreateInstance, CoTaskMemFree, CoInitialize, CoUninitialize

Exports

Name	Ordinal	Address
z_adler32	1	0x1400aab20
z_adler32_combine	2	0x1400aae00
z_adler32_combine64	3	0x1400aae00
z_compress	4	0x140049aa0
z_compress2	5	0x140049ac0
z_compressBound	6	0x140049b70
z_crc32	7	0x1400ab2f0
z_crc32_combine	8	0x1400ab300
z_crc32_combine64	9	0x1400ab300
z_deflate	10	0x140090200
z_deflateBound	11	0x140090b00
z_deflateCopy	12	0x140090c10
z_deflateEnd	13	0x140090e80
z_deflateInit2_	14	0x140090f60
z_deflateInit_	15	0x1400911f0
z_deflateParams	16	0x140091230
z_deflatePrime	17	0x140091350
z_deflateReset	18	0x140091390
z_deflateSetDictionary	19	0x1400914f0
z_deflateSetHeader	20	0x140091640
z_deflateTune	21	0x140091670
z_get_crc_table	22	0x1400ab310
z_inflate	23	0x140091830
z_inflateCopy	24	0x140093010
z_inflateEnd	25	0x140093250
z_inflateGetHeader	26	0x1400932b0
z_inflateInit2_	27	0x1400932e0
z_inflateInit_	28	0x1400933d0
z_inflateMark	29	0x1400933e0
z_inflatePrime	30	0x140093440
z_inflateReset	31	0x1400934a0
z_inflateReset2	32	0x140093520
z_inflateSetDictionary	33	0x1400935d0
z_inflateSync	34	0x1400936c0
z_inflateSyncPoint	35	0x140093820
z_inflateUndermine	36	0x140093850
z_uncompress	37	0x140049b90
z_zError	38	0x1400ab320
z_zlibCompileFlags	39	0x1400ab360
z_zlibVersion	40	0x1400ab370

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:58:29.333142042 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:29.338181973 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:29.338422060 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:29.338668108 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:29.343432903 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.187688112 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.188232899 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.193103075 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.193120003 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.193129063 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501389027 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501410007 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501415968 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501421928 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501430035 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.501597881 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.716062069 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716099977 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716105938 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716116905 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716123104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716130018 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716140985 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716345072 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.716761112 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716804028 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.716837883 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716849089 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716861010 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.716886997 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.761027098 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.930557013 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930594921 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930604935 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930613995 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930618048 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930721998 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.930728912 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930741072 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930752993 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930763006 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.930768013 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.930809975 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.931545019 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931555986 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931592941 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.931873083 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931884050 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931894064 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931904078 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931911945 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.931914091 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:30.931920052 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:30.931951046 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.145873070 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.145922899 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.145945072 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.145967007 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.145992041 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146009922 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146037102 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146172047 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146199942 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146217108 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146220922 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146238089 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146253109 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146612883 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146632910 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146651983 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146658897 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146671057 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146686077 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.146692991 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.146744013 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.147254944 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147301912 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147339106 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147360086 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147371054 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.147384882 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147402048 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.147407055 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.147439957 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.360718966 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360735893 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360743046 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360749006 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360805988 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360814095 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360821009 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360826015 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.360831976 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361006975 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.361305952 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361318111 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361327887 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361337900 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361349106 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361358881 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.361360073 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361381054 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.361393929 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.361978054 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.361989021 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362000942 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362010956 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362023115 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362025976 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.362034082 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362035036 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.362051010 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362066031 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.362088919 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.362674952 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362687111 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362699032 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.362725019 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.416896105 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576189041 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576208115 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576225996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576236963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576248884 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576261044 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576273918 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576283932 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576289892 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576303959 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576316118 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576353073 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576786041 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576797962 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576808929 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576839924 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576878071 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.576914072 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.576996088 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577007055 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577018023 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577028990 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577040911 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577069044 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577431917 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577442884 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577455044 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577465057 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577491999 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577505112 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577526093 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577538967 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577549934 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577562094 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577574968 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577575922 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.577579975 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.577629089 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.578366995 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.578377962 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.578389883 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.578402042 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.578413010 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.578459024 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.791376114 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791418076 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791429996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791435003 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791443110 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791513920 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.791547060 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791558981 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791569948 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791580915 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791590929 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.791591883 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791604996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791615963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.791616917 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.791644096 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.791661024 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.792187929 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792197943 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792208910 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792218924 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792228937 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792238951 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792238951 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.792253017 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792263031 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792265892 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.792274952 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792284012 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.792304993 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.792963982 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792974949 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.792992115 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793003082 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793013096 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793023109 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793034077 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793041945 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.793045044 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793052912 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793062925 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793073893 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793112993 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.793134928 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.793759108 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793771029 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793781996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793792963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793803930 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793807030 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.793816090 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:31.793821096 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:31.793850899 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.006362915 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006383896 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006397009 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006407022 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006424904 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006436110 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006448984 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006454945 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.006460905 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.006494999 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.007563114 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007579088 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007590055 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007630110 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.007632017 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007643938 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007656097 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007668972 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007671118 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.007699013 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.007807016 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007817984 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007829905 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007839918 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.007857084 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.007889032 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008076906 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008088112 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008109093 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008111954 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008120060 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008131981 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008142948 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008169889 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008574009 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008590937 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008596897 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008606911 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008613110 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008618116 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008625031 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008630037 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008636951 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008644104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008647919 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008647919 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008651972 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.008708000 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.008728981 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.009361029 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009371996 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009382963 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009392977 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009403944 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009413004 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009423971 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009428024 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.009437084 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009448051 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009448051 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.009459972 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009470940 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009480953 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009491920 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009495020 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.009504080 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.009521008 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.009557009 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.010103941 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.010114908 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.010124922 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.010153055 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.055890083 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.220526934 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220664024 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220674038 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220684052 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220695972 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220705986 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220721960 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220730066 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.220752954 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.220833063 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220850945 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220863104 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220871925 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220876932 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.220876932 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.220937014 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.221098900 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.221107960 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.221124887 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.221134901 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.221146107 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.221153021 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.221179008 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222233057 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222253084 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222265005 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222312927 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222321987 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222332954 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222343922 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222371101 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222466946 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222477913 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222487926 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222534895 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222681999 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222692966 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222704887 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222712994 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222718954 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222743988 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.222879887 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222891092 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222903013 CET	6666	49730	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:32.222948074 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:32.256083965 CET	49730	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:34.367402077 CET	49731	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:58:34.372483969 CET	6666	49731	206.238.220.204	192.168.2.4
Dec 30, 2024 03:58:34.372601032 CET	49731	6666	192.168.2.4	206.238.220.204
Dec 30, 2024 03:59:24.453845024 CET	49731	6666	192.168.2.4	206.238.220.204

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 30, 2024 03:59:19.225480080 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.225481033 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.254039049 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.304018021 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.364006042 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.444020987 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.564059973 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.684052944 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.834041119 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:19.994041920 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:20.184071064 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:20.394047976 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:20.615082979 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:20.854406118 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:21.124042034 CET	49431	6341	192.168.2.4	192.168.1.2
Dec 30, 2024 03:59:21.414081097 CET	49431	6341	192.168.2.4	192.168.1.2

Target ID:	0
Start time:	21:58:26
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\quHmbPnLFV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\quHmbPnLFV.exe"
Imagebase:	0x7ff7f7310000
File size:	2'835'456 bytes
MD5 hash:	E4A3903DECCB9128673C052CA0A31080
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:58:34
Start date:	29/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6816 -s 1376
Imagebase:	0x7ff7da250000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	62.8%
Signature Coverage:	21.9%
Total number of Nodes:	1453
Total number of Limit Nodes:	68

Executed Functions

Function 0000026C9CB82B00 Relevance: 77.4, APIs: 30, Strings: 14, Instructions: 365
stringnetworklibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

gethostname.WS2_32 ref: 0000026C9CB82BB5
gethostbyname.WS2_32 ref: 0000026C9CB82BC2
inet_ntoa.WS2_32 ref: 0000026C9CB82BE0

Part of subcall function 0000026C9CB945FC: _errno.LIBCMT ref: 0000026C9CB9461A
Part of subcall function 0000026C9CB945FC: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB94626

Part of subcall function 0000026C9CB945FC: _errno.LIBCMT ref: 0000026C9CB94668

inet_ntoa.WS2_32 ref: 0000026C9CB82C3B
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB82C98
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB82CBA
GetLastInputInfo.USER32 ref: 0000026C9CB82CCD
GetTickCount.KERNEL32 ref: 0000026C9CB82CD3
wsprintfW.USER32 ref: 0000026C9CB82D07
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB82D26
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB82D4B
GetSystemInfo.KERNEL32 ref: 0000026C9CB82D83
wsprintfW.USER32 ref: 0000026C9CB82D9B
GetForegroundWindow.USER32 ref: 0000026C9CB82DB9
GetWindowTextW.USER32 ref: 0000026C9CB82DD4
lstrlenW.KERNEL32 ref: 0000026C9CB82DE1
lstrlenW.KERNEL32 ref: 0000026C9CB82E5D
GetModuleHandleW.KERNEL32 ref: 0000026C9CB82ECA
GetProcAddress.KERNEL32 ref: 0000026C9CB82EDA
GetSystemInfo.KERNEL32 ref: 0000026C9CB82EEE
wsprintfW.USER32 ref: 0000026C9CB82F37
GetLocalTime.KERNEL32 ref: 0000026C9CB82FD0
wsprintfW.USER32 ref: 0000026C9CB8301C
GetLocaleInfoW.KERNEL32 ref: 0000026C9CB83037
EnumDisplayMonitors.USER32 ref: 0000026C9CB8306D
swprintf.LIBCMT ref: 0000026C9CB83097
swprintf.LIBCMT ref: 0000026C9CB83107
lstrcatW.KERNEL32 ref: 0000026C9CB83123
GetSystemDirectoryW.KERNEL32 ref: 0000026C9CB83135
GetCurrentHwProfileW.ADVAPI32 ref: 0000026C9CB8313F

Strings

kernel32.dll, xrefs: 0000026C9CB82EA7
Network, xrefs: 0000026C9CB82DEE
2024. 9. 2, xrefs: 0000026C9CB82E8D
x64, xrefs: 0000026C9CB82F15
Run:%s Con:%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0000026C9CB83015
REMARK, xrefs: 0000026C9CB82E6A
GetNativeSystemInfo, xrefs: 0000026C9CB82ED0
>f:yhV:, xrefs: 0000026C9CB8311C
x86, xrefs: 0000026C9CB82F1E
X64 %s, xrefs: 0000026C9CB82F30
AppEvents, xrefs: 0000026C9CB82DE7
GROUP, xrefs: 0000026C9CB82DFF
1.0, xrefs: 0000026C9CB82E45
%d min, xrefs: 0000026C9CB82D00

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharInfoMultiWidewsprintf$System$Window_errnoinet_ntoalstrlenswprintf$AddressCountCurrentDirectoryDisplayEnumForegroundHandleInputLastLocalLocaleModuleMonitorsProcProfileTextTickTime_invalid_parameter_noinfogethostbynamegethostnamelstrcatmalloc
String ID: %d min$1.0$2024. 9. 2$>f:yhV:$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$Run:%s Con:%4d.%2d.%2d-%2d:%2d:%2d$X64 %s$kernel32.dll$x64$x86
API String ID: 3092165503-1594994734
Opcode ID: 6f9a26f35435b5e38f586dea0dd05bdbbb2e27cbbf1188ae0f7fa3827131af10
Instruction ID: 3266f864bf5f91e18d62fd4c00e381f50e0127c02c8166d85eb4beeeaf23ecaa
Opcode Fuzzy Hash: 6f9a26f35435b5e38f586dea0dd05bdbbb2e27cbbf1188ae0f7fa3827131af10
Instruction Fuzzy Hash: 6102B432202A85D6EB24EF60E8483FE73B5F748748FA04116DACE53A95DF3AC659C744

Function 0000026C9CB8B480 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 279
sleepsynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000026C9CB8B4D4
CloseHandle.KERNEL32 ref: 0000026C9CB8B50F

Part of subcall function 0000026C9CB93E0C: _errno.LIBCMT ref: 0000026C9CB93E2B
Part of subcall function 0000026C9CB93E0C: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB93E37

Part of subcall function 0000026C9CB93E0C: _errno.LIBCMT ref: 0000026C9CB93E67

GetLocalTime.KERNEL32 ref: 0000026C9CB8B568
wsprintfW.USER32 ref: 0000026C9CB8B5AE
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026C9CB8B5BB
CloseHandle.KERNEL32 ref: 0000026C9CB8B5E1

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

Part of subcall function 0000026C9CB93FEC: _errno.LIBCMT ref: 0000026C9CB94017
Part of subcall function 0000026C9CB93FEC: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB94022

Sleep.KERNEL32 ref: 0000026C9CB8B761
EnumWindows.USER32 ref: 0000026C9CB8B781
Sleep.KERNEL32 ref: 0000026C9CB8B795
EnumWindows.USER32 ref: 0000026C9CB8B7AC
CreateEventA.KERNEL32 ref: 0000026C9CB8B819
Sleep.KERNEL32 ref: 0000026C9CB8B885
CloseHandle.KERNEL32 ref: 0000026C9CB8B8BE
Sleep.KERNEL32 ref: 0000026C9CB8B905
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8B932
CloseHandle.KERNEL32 ref: 0000026C9CB8B93B
CloseHandle.KERNEL32 ref: 0000026C9CB8B94C
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8B96F
CloseHandle.KERNEL32 ref: 0000026C9CB8B978
CloseHandle.KERNEL32 ref: 0000026C9CB8B989

Strings

6666, xrefs: 0000026C9CB8B626
206.238.220.204, xrefs: 0000026C9CB8B61A
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0000026C9CB8B5A0
206.238.220.204, xrefs: 0000026C9CB8B647
8888, xrefs: 0000026C9CB8B653

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandle$Sleep$_errno$EnumObjectSingleWaitWindows_invalid_parameter_noinfo$CreateEventExceptionFilterLocalTimeUnhandledmallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$206.238.220.204$206.238.220.204$6666$8888
API String ID: 1954332545-3840522574
Opcode ID: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction ID: ed9210369d74e5295b7cc2b57f2d4f5b08d8d155ee40fc8ac2cb029b6adf6195
Opcode Fuzzy Hash: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction Fuzzy Hash: 1CE15B35106A44C6EB24BF21E8A87BA77B0F795745FB00126E6CA07AE4CF7BC949C740

Function 0000026C9CB8B9A0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
sleepsynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000026C9CB8B9F4
GetLocalTime.KERNEL32 ref: 0000026C9CB8B9FF
wsprintfW.USER32 ref: 0000026C9CB8BA45
Sleep.KERNEL32 ref: 0000026C9CB8BAD7
EnumWindows.USER32 ref: 0000026C9CB8BAEE
Sleep.KERNEL32 ref: 0000026C9CB8BB05
EnumWindows.USER32 ref: 0000026C9CB8BB1C
Sleep.KERNEL32 ref: 0000026C9CB8BB2E
CreateEventA.KERNEL32 ref: 0000026C9CB8BB94
CloseHandle.KERNEL32 ref: 0000026C9CB8BC21

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

Sleep.KERNEL32 ref: 0000026C9CB8BC5F
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BC83
CloseHandle.KERNEL32 ref: 0000026C9CB8BC8C
CloseHandle.KERNEL32 ref: 0000026C9CB8BC9D
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BCB7
CloseHandle.KERNEL32 ref: 0000026C9CB8BCC0
CloseHandle.KERNEL32 ref: 0000026C9CB8BCD1

Strings

%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 0000026C9CB8BA37
6341, xrefs: 0000026C9CB8BB37, 0000026C9CB8BB61
192.168.1.2, xrefs: 0000026C9CB8BB46, 0000026C9CB8BBB5

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventLocalTimemallocwsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$192.168.1.2$6341
API String ID: 2252640433-291747511
Opcode ID: 5113a276d7b3d7c4d49730e836482ad4f995803a9944a159e0f4035b0e1660b7
Instruction ID: e3e323accacb2615fb48551e3c3c01420cefa30ba6004cd2a90dee8e39ebbb1f
Opcode Fuzzy Hash: 5113a276d7b3d7c4d49730e836482ad4f995803a9944a159e0f4035b0e1660b7
Instruction Fuzzy Hash: 50919072606A40C6EB20AF25E8983BE77B0F785B94F604115EACA07BE4DF7EC549C740

Function 00007FF7F7314610 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 354
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F7314648
GetProcAddress.KERNEL32 ref: 00007FF7F7314658
SetLastError.KERNEL32 ref: 00007FF7F73146A7
GetNativeSystemInfo.KERNELBASE ref: 00007FF7F731472D
VirtualAlloc.KERNELBASE ref: 00007FF7F7314779
VirtualAlloc.KERNEL32 ref: 00007FF7F7314796
SetLastError.KERNEL32 ref: 00007FF7F73147A7
GetProcessHeap.KERNEL32 ref: 00007FF7F73147BC
HeapAlloc.KERNEL32 ref: 00007FF7F73147CE
VirtualFree.KERNEL32 ref: 00007FF7F73147EC
SetLastError.KERNEL32 ref: 00007FF7F73147F5
SetLastError.KERNEL32 ref: 00007FF7F7314866

Part of subcall function 00007FF7F7314B90: GetProcessHeap.KERNEL32(?,?,?,00007FF7F7314874), ref: 00007FF7F7314C34
Part of subcall function 00007FF7F7314B90: HeapFree.KERNEL32(?,?,?,00007FF7F7314874), ref: 00007FF7F7314C42

VirtualAlloc.KERNELBASE ref: 00007FF7F73148CA
VirtualAlloc.KERNELBASE ref: 00007FF7F731498D
RtlAddFunctionTable.KERNEL32 ref: 00007FF7F7314B1C
SetLastError.KERNEL32 ref: 00007FF7F7314B77

Strings

ntdll, xrefs: 00007FF7F7314641
RtlAddFunctionTable, xrefs: 00007FF7F7314651

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AllocErrorLastVirtual$Heap$FreeProcess$AddressFunctionHandleInfoModuleNativeProcSystemTable
String ID: RtlAddFunctionTable$ntdll
API String ID: 1700573182-1103699993
Opcode ID: 1198e67249c0b7e84dde9154b3b4e9c9355052bda3a350e5c94f78a972d0fa75
Instruction ID: d12f8aa4e7019dcaa70dcd2d6493a6624e38c759bd67162dd0ac25db05615054
Opcode Fuzzy Hash: 1198e67249c0b7e84dde9154b3b4e9c9355052bda3a350e5c94f78a972d0fa75
Instruction Fuzzy Hash: CEF18C3AF0968297EB60AB15E450779B3A1FF44B94F854039CA6E47790DF7CE442C790

Function 0000026C9CB84900 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB8496B
RegQueryValueExW.ADVAPI32 ref: 0000026C9CB849DC
lstrcmpW.KERNEL32 ref: 0000026C9CB849F9
RegCloseKey.ADVAPI32 ref: 0000026C9CB84B23
RegCloseKey.ADVAPI32 ref: 0000026C9CB84B2E

Strings

error, xrefs: 0000026C9CB84B12
%s-%d, xrefs: 0000026C9CB84AE2

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID: %s-%d$error
API String ID: 4288439342-992067998
Opcode ID: 339020dc813d921992459e6716a65cd383114c8633f93e4cc4539f4e2fb5fbc3
Instruction ID: acb5812799780f4feb31c7a867ef621a71572fe9b0fab6254912aa46a5aed3cf
Opcode Fuzzy Hash: 339020dc813d921992459e6716a65cd383114c8633f93e4cc4539f4e2fb5fbc3
Instruction Fuzzy Hash: 73512331216A51C2EB60DB11F89877B73B4F784B85F905125FACA83AA4EF3EC549CB40

Function 00007FF7F7313FB0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF7F7313FE9
CryptAcquireContextW.ADVAPI32 ref: 00007FF7F731400C
CryptCreateHash.ADVAPI32 ref: 00007FF7F731403F
CryptHashData.ADVAPI32 ref: 00007FF7F731405B
CryptDeriveKey.ADVAPI32 ref: 00007FF7F7314081
CryptDecrypt.ADVAPI32 ref: 00007FF7F73140AD
CryptDestroyKey.ADVAPI32 ref: 00007FF7F73140B7
CryptDestroyHash.ADVAPI32 ref: 00007FF7F73140C1
CryptReleaseContext.ADVAPI32 ref: 00007FF7F73140CD
CloseHandle.KERNEL32 ref: 00007FF7F73140DA
CloseHandle.KERNEL32 ref: 00007FF7F73140E7

Strings

2b134t52mhhbGaN4, xrefs: 00007FF7F731404D
Error creating a keyset!, xrefs: 00007FF7F7314016
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FF7F7313FD0, 00007FF7F7313FFF

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Crypt$ContextHash$AcquireCloseDestroyHandle$CreateDataDecryptDeriveRelease
String ID: 2b134t52mhhbGaN4$Error creating a keyset!$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3666277636-84394693
Opcode ID: f172555bccba036a97b3cd1372cebb2be6ca885063ea5db245dcb55184fec282
Instruction ID: c4d893568dbef26ce094fd7e51bbbf7fc424321a89b7f8472bf0707a72cfb2d2
Opcode Fuzzy Hash: f172555bccba036a97b3cd1372cebb2be6ca885063ea5db245dcb55184fec282
Instruction Fuzzy Hash: FC417F3AF04A52C6F710EB61E8005B9B7B1FF84768B914235C92E53AE4DF38D10AC791

Function 0000026C9CB84D10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000026C9CB84D25
GetProcAddress.KERNEL32 ref: 0000026C9CB84D41
swprintf.LIBCMT ref: 0000026C9CB84DA1

Part of subcall function 0000026C9CB93DE8: _vswprintf_s_l.LIBCMT ref: 0000026C9CB93E02

Part of subcall function 0000026C9CB84C90: GetModuleHandleW.KERNEL32 ref: 0000026C9CB84CBB
Part of subcall function 0000026C9CB84C90: GetProcAddress.KERNEL32 ref: 0000026C9CB84CCB
Part of subcall function 0000026C9CB84C90: GetNativeSystemInfo.KERNELBASE ref: 0000026C9CB84CDB

RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB84E07
RegQueryValueExW.ADVAPI32 ref: 0000026C9CB84E32
RegCloseKey.ADVAPI32 ref: 0000026C9CB84E57
FreeLibrary.KERNEL32 ref: 0000026C9CB84E6D

Strings

%d.%d.%d, xrefs: 0000026C9CB84D86
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000026C9CB84DE6
ProductName, xrefs: 0000026C9CB84E1E
RtlGetNtVersionNumbers, xrefs: 0000026C9CB84D37
ntdll.dll, xrefs: 0000026C9CB84D1B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValue_vswprintf_s_lswprintf
String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1494749741-3190923360
Opcode ID: 63a278c1726442162d98cc2237712d9ccc026d0492f426b623a28aeacd60e9e6
Instruction ID: 7b1e13287b735aec06d7aa99fc827a25a8c1875718494636e40e9b6704219acc
Opcode Fuzzy Hash: 63a278c1726442162d98cc2237712d9ccc026d0492f426b623a28aeacd60e9e6
Instruction Fuzzy Hash: D7316032216781C6EB60AB21F4587BA73B4F785B94F644211EEDA17B98DF3AC505CB10

Function 0000026C9CB814F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 0000026C9CB81526
timeGetTime.WINMM ref: 0000026C9CB81535
socket.WS2_32 ref: 0000026C9CB8156D
lstrlenW.KERNEL32 ref: 0000026C9CB8159A
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB815BE
lstrlenW.KERNEL32 ref: 0000026C9CB815D8
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB815FB
gethostbyname.WS2_32 ref: 0000026C9CB81608
htons.WS2_32 ref: 0000026C9CB81630
connect.WS2_32 ref: 0000026C9CB8165A

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID:
API String ID: 950253168-0
Opcode ID: e4f1b628e603b8c0e271cec45e5bcd3519c32228a8b6efe7a25591412e67fb9e
Instruction ID: 8e824c17b5f528d1ed209618fbe977e5d6acf9dd49b48f9d6a99e568a0066729
Opcode Fuzzy Hash: e4f1b628e603b8c0e271cec45e5bcd3519c32228a8b6efe7a25591412e67fb9e
Instruction Fuzzy Hash: EF513732605B80C7DB60DF65F44436AB7B4F789B98F504219EACA53B64DF3EC0599B00

Function 00000001400014F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 0000000140001526
timeGetTime.WINMM ref: 0000000140001535
socket.WS2_32 ref: 000000014000156D
lstrlenW.KERNEL32 ref: 000000014000159A
WideCharToMultiByte.KERNEL32 ref: 00000001400015BE
lstrlenW.KERNEL32 ref: 00000001400015D8
WideCharToMultiByte.KERNEL32 ref: 00000001400015FB
gethostbyname.WS2_32 ref: 0000000140001608
htons.WS2_32 ref: 0000000140001630
connect.WS2_32 ref: 000000014000165A

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID:
API String ID: 950253168-0
Opcode ID: 6be368349b335f687857114e3581a3aed3ff549df64c905fc01b56a36ba75a01
Instruction ID: e00b2aa1afe8dc942cd989892e5c322118a8095490c56380a45fdb8c14d7f693
Opcode Fuzzy Hash: 6be368349b335f687857114e3581a3aed3ff549df64c905fc01b56a36ba75a01
Instruction Fuzzy Hash: 76512A72204B8087DB65CF66F8407AAB7A4F789B98F004219EB9E57B65DF3DC149DB00

Function 00000001400041B0 Relevance: 16.5, APIs: 11, Instructions: 43
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400041BD
GetConsoleWindow.KERNEL32 ref: 00000001400041C3
ShowWindow.USER32 ref: 00000001400041CE
GetCurrentThreadId.KERNEL32 ref: 00000001400041D4
PostThreadMessageA.USER32 ref: 00000001400041E4
GetInputState.USER32 ref: 00000001400041EA
CreateThread.KERNELBASE ref: 000000014000420E
CreateThread.KERNELBASE ref: 0000000140004232
WaitForSingleObject.KERNEL32 ref: 0000000140004242
CloseHandle.KERNEL32 ref: 000000014000424F
Sleep.KERNEL32 ref: 000000014000425A

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$CreateWindow$CloseConsoleCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 1785272045-0
Opcode ID: ee474838568d569156a9ab4685564af73a3dd786a2dd2134ad0acab19430d296
Instruction ID: fe11c5c89b342f1589b79449597d4b3e4c24726e3e961e716cd572b682034483
Opcode Fuzzy Hash: ee474838568d569156a9ab4685564af73a3dd786a2dd2134ad0acab19430d296
Instruction Fuzzy Hash: 52111575610A0082F717DB72FC697EA33A2BB8C795F44412ABB5A4B671CF3985899200

Function 0000026C9CB84770 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDriveTypeW.KERNEL32 ref: 0000026C9CB847DA
GetDiskFreeSpaceExW.KERNEL32 ref: 0000026C9CB847FE
GlobalMemoryStatusEx.KERNEL32 ref: 0000026C9CB84865
swprintf.LIBCMT ref: 0000026C9CB848A2
swprintf.LIBCMT ref: 0000026C9CB848BE

Strings

%sFree%d Gb , xrefs: 0000026C9CB848A7
@, xrefs: 0000026C9CB8482E
:, xrefs: 0000026C9CB847BE
HDD:%d, xrefs: 0000026C9CB84879

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType
String ID: %sFree%d Gb $:$@$HDD:%d
API String ID: 2105347210-3501811827
Opcode ID: 921d8f27bbcfc5cac4d84ec7f6df4691689466164058b9f85b3ed9747272aa44
Instruction ID: edac89a69e61c022d170a2da520a0fb41f1901c1065afab2062fdb0ccf8c607b
Opcode Fuzzy Hash: 921d8f27bbcfc5cac4d84ec7f6df4691689466164058b9f85b3ed9747272aa44
Instruction Fuzzy Hash: CC313736209B84C6E760EB15F8447ABB7B4F389788FA01116EACD43B19DF3AC556CB00

Function 0000026C9CB84B60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63comstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000026C9CB84B86

Part of subcall function 0000026C9CB84900: RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB8496B
Part of subcall function 0000026C9CB84900: RegCloseKey.ADVAPI32 ref: 0000026C9CB84B23
Part of subcall function 0000026C9CB84900: RegCloseKey.ADVAPI32 ref: 0000026C9CB84B2E

CoInitialize.OLE32 ref: 0000026C9CB84BB8
CoCreateInstance.OLE32 ref: 0000026C9CB84BDC
swprintf.LIBCMT ref: 0000026C9CB84C6A

Strings

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000, xrefs: 0000026C9CB84B9B
DriverDesc, xrefs: 0000026C9CB84B94
%s , xrefs: 0000026C9CB84C31

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Close$CreateInitializeInstanceOpenlstrlenswprintf
String ID: %s $DriverDesc$SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
API String ID: 900129089-2074342395
Opcode ID: 414001dd6f4b59178dfbdb8a04c3b81a196c16d8098a2c073610e78b58e0a71d
Instruction ID: 44e44f2999d861d8ffaa7594ab7bc2ecf13e47f48022384dbc350ab9ea068822
Opcode Fuzzy Hash: 414001dd6f4b59178dfbdb8a04c3b81a196c16d8098a2c073610e78b58e0a71d
Instruction Fuzzy Hash: B9218572225A89C3EB10DF25E4597A977B0F7C8B45F905112EACE43B54DF3AC909CB00

Function 0000026C9CB96968 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000026C9CB969D5
RtlLookupFunctionEntry.KERNEL32 ref: 0000026C9CB969ED
RtlVirtualUnwind.KERNEL32 ref: 0000026C9CB96A27
IsDebuggerPresent.KERNEL32 ref: 0000026C9CB96A5D
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026C9CB96A67
UnhandledExceptionFilter.KERNEL32 ref: 0000026C9CB96A72

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 14f04c64a592990b04a434c863bea14f9e693fb1411986df20686f0e1fcf2037
Instruction ID: bd8ab25055cdf1c4f00d1f9544e5d18c370cd6b099f676828110252e3c138bc8
Opcode Fuzzy Hash: 14f04c64a592990b04a434c863bea14f9e693fb1411986df20686f0e1fcf2037
Instruction Fuzzy Hash: 77314E32215B80C6DB60EB25E8487BE73B4F788798F600115EADD43B99DF3AC555CB00

Function 0000026C9CB995AC Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 0000026C9CB995C2
GetVersion.KERNEL32 ref: 0000026C9CB995D4
HeapSetInformation.KERNEL32 ref: 0000026C9CB995F2

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 2da6a33331be37aea9e041944a378e02ae9d1d2031e246c02c7f00763c845b9d
Instruction ID: 2463b50f8d69bbb081123bf6edbc3b25ffb6a7c0226bc862cae08bc0b8aa3f70
Opcode Fuzzy Hash: 2da6a33331be37aea9e041944a378e02ae9d1d2031e246c02c7f00763c845b9d
Instruction Fuzzy Hash: E3E0C974A12650C3FB846715E84D77932B1F798745FA45415E9CA03B94EF3A85458710

Function 0000026C9CB81750 Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

select.WS2_32 ref: 0000026C9CB817E5
recv.WS2_32 ref: 0000026C9CB81807

Part of subcall function 0000026C9CB81BC0: VirtualAlloc.KERNEL32 ref: 0000026C9CB81D4E

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AllocVirtualmallocrecvselect
String ID:
API String ID: 1241053632-0
Opcode ID: a988ccf7a066a7ec199917bd5ea2c0e45977bb7d9429f392867354966ccba78a
Instruction ID: 72a34ec5176a50ef011136d5b2f28e1f0a07e3bce7b67a6e404a10e5ccf7df62
Opcode Fuzzy Hash: a988ccf7a066a7ec199917bd5ea2c0e45977bb7d9429f392867354966ccba78a
Instruction Fuzzy Hash: 2A219F72716A80C1EB60AB25F5993BE72B0F789B88F600125DB8E47B99DF3AC0058704

Function 0000026C9CB83830 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 70
synchronizationsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0000026C9CB83854
CreateMutexExW.KERNELBASE ref: 0000026C9CB8385A
Sleep.KERNEL32 ref: 0000026C9CB83875
CreateMutexW.KERNEL32 ref: 0000026C9CB83886
GetLastError.KERNEL32 ref: 0000026C9CB8388C
lstrlenW.KERNEL32 ref: 0000026C9CB838C5
lstrcmpW.KERNEL32 ref: 0000026C9CB83902
Sleep.KERNEL32 ref: 0000026C9CB83911
GetModuleHandleW.KERNEL32 ref: 0000026C9CB83922
GetConsoleWindow.KERNEL32 ref: 0000026C9CB8392D

Strings

2024. 9. 2, xrefs: 0000026C9CB83849, 0000026C9CB8387B
key, xrefs: 0000026C9CB838D7
open, xrefs: 0000026C9CB838D0

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateMutex$Sleep$ConsoleErrorHandleLastModuleWindowlstrcmplstrlen
String ID: 2024. 9. 2$key$open
API String ID: 4141083079-93764921
Opcode ID: 66d0600071f0f3915794d2991b8f21b3d63c5bbc832a269f4ff7be3149a67255
Instruction ID: 2e51d2bb220331a6f181effb0746fa396318fbd75d01eb1b96f41a507a2dfb52
Opcode Fuzzy Hash: 66d0600071f0f3915794d2991b8f21b3d63c5bbc832a269f4ff7be3149a67255
Instruction Fuzzy Hash: 6B314B71612A45C2FB50BB20E8AC3BA33F1FB94705FA04566E5CA42AA5DF3BC808C740

Function 0000000140003AC0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000000140003B10
SleepEx.KERNELBASE ref: 0000000140003B45
SleepEx.KERNELBASE ref: 0000000140003CB4
CreateEventA.KERNEL32 ref: 0000000140003D0B
SleepEx.KERNELBASE ref: 0000000140003D4F
CloseHandle.KERNELBASE ref: 0000000140003D8E

Strings

6666, xrefs: 0000000140003B86, 0000000140003BB3, 0000000140003C19, 0000000140003CBD
206.238.220.204, xrefs: 0000000140003B9B
206.238.220.204, xrefs: 0000000140003B6E
8888, xrefs: 0000000140003BA7
206.238.220.204, xrefs: 0000000140003B5E, 0000000140003C01, 0000000140003CCC
6666, xrefs: 0000000140003B7A

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Sleep$CloseCreateEventHandle
String ID: 206.238.220.204$206.238.220.204$206.238.220.204$6666$6666$8888
API String ID: 1603472376-913434440
Opcode ID: a0f3fcac8467a186e70fc3d0f1e9634cb6668e8e39ecb6f8bf227a2d123b2ab3
Instruction ID: f9672b19bd4d940d0eafbb644b3287daaa15567fe727fe739266967074bb03a5
Opcode Fuzzy Hash: a0f3fcac8467a186e70fc3d0f1e9634cb6668e8e39ecb6f8bf227a2d123b2ab3
Instruction Fuzzy Hash: B2812475220A4086E713DB66E854BE977A5F78DBC4F80412AFB1A47AF1CF38C945C740

Function 00000001400094E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32 ref: 0000000140009508
connect.WS2_32 ref: 000000014000952D
WSAGetLastError.WS2_32 ref: 000000014000953C
connect.WS2_32 ref: 0000000140009577
WSAEventSelect.WS2_32 ref: 0000000140009590
SetLastError.KERNEL32 ref: 00000001400095AB
GetLastError.KERNEL32 ref: 00000001400095C3
WSASetLastError.WS2_32 ref: 00000001400095D5
send.WS2_32 ref: 00000001400095F9
WSAGetLastError.WS2_32 ref: 0000000140009604

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 0000000140009618

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$EventSelectconnect$send
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1826129850-4236689219
Opcode ID: 139d6e0b11e75e2d957019177b71ab07b7833485f606efeb0368cc19468fda0d
Instruction ID: 99e2289132232311c34ceb59dbb758c0b81f7082a8ce3018f105167220c7fc9e
Opcode Fuzzy Hash: 139d6e0b11e75e2d957019177b71ab07b7833485f606efeb0368cc19468fda0d
Instruction Fuzzy Hash: 22316171714A1082FBA2DB67E8957A92260FB4CBE4F500624EB1D87AF0CF79C8D59700

Function 00007FF7F7319920 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF7F73199E8
GetProcAddress.KERNEL32 ref: 00007FF7F7319A2F
GetProcAddress.KERNEL32 ref: 00007FF7F7319A72
GetFileVersionInfoSizeExW.KERNELBASE ref: 00007FF7F7319AC1
GetFileVersionInfoW.KERNELBASE ref: 00007FF7F7319AE8

Strings

GetFileVersionInfoSizeW, xrefs: 00007FF7F73199DE
VerQueryValueW, xrefs: 00007FF7F7319A25
GetFileVersionInfoW, xrefs: 00007FF7F7319A68

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$FileInfoVersion$Size
String ID: GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW
API String ID: 2598009218-981298171
Opcode ID: efbc4de875c51c5db1a2f3792e47a6250654341176fabd58788366e8468207f5
Instruction ID: 8b2b01bfdebf4866d7be9a385c0a9a5105c0f43be585cafebdebb116ab806ed8
Opcode Fuzzy Hash: efbc4de875c51c5db1a2f3792e47a6250654341176fabd58788366e8468207f5
Instruction Fuzzy Hash: 3171A226F096D29AFB11EB61D4502BCA3A4AF487A8F904139DD6E537C9DE7CD407C3A0

Function 0000000140009F70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009900: EnterCriticalSection.KERNEL32 ref: 000000014000992E
Part of subcall function 0000000140009900: LeaveCriticalSection.KERNEL32 ref: 0000000140009982

send.WS2_32 ref: 0000000140009FD3
EnterCriticalSection.KERNEL32 ref: 0000000140009FE6
LeaveCriticalSection.KERNEL32 ref: 0000000140009FF9
SetLastError.KERNEL32 ref: 000000014000A001
WSAGetLastError.WS2_32 ref: 000000014000A07E
EnterCriticalSection.KERNEL32 ref: 000000014000A092
LeaveCriticalSection.KERNEL32 ref: 000000014000A0D8

Strings

<C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!, xrefs: 000000014000A024

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast$send
String ID: <C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!
API String ID: 484515946-1981346945
Opcode ID: 5d57d71f2378e127ec58ca066b800eec07ab1c04eeec1237c94df71af28c7d82
Instruction ID: e19302107cfcd4d779bf577067bd819c2068326c636a879e7a686293c695ea1d
Opcode Fuzzy Hash: 5d57d71f2378e127ec58ca066b800eec07ab1c04eeec1237c94df71af28c7d82
Instruction Fuzzy Hash: D35158B2205B4086EA66DB22F5403EEB3A5F74DBE0F440216EB9A47BA5DF38D595C700

Function 0000000140003DA0 Relevance: 10.6, APIs: 7, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 0000000140003DF0
Sleep.KERNEL32 ref: 0000000140003E25
Sleep.KERNEL32 ref: 0000000140003EAB
SleepEx.KERNELBASE ref: 0000000140003EB6
CreateEventA.KERNEL32 ref: 0000000140003F0D
Sleep.KERNEL32 ref: 0000000140003F51
CloseHandle.KERNEL32 ref: 0000000140003F90

Part of subcall function 000000014000C364: malloc.LIBCMT ref: 000000014000C37E

Part of subcall function 0000000140001E00: timeGetTime.WINMM ref: 0000000140001E8B
Part of subcall function 0000000140001E00: CreateEventW.KERNEL32 ref: 0000000140001E9F
Part of subcall function 0000000140001E00: CreateEventW.KERNEL32 ref: 0000000140001EB3

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Sleep$CreateEvent$CloseHandleTimemalloctime
String ID:
API String ID: 3316233393-0
Opcode ID: 482f008a18393b0adca5cb6b4fb91beae11170d46349654fa1bb411dd128e68f
Instruction ID: 8082ef83bc92b70553dfdb52a9dee960ae8875b1953704e18da45eb19ea91207
Opcode Fuzzy Hash: 482f008a18393b0adca5cb6b4fb91beae11170d46349654fa1bb411dd128e68f
Instruction Fuzzy Hash: B7514572205B4086EB26DB22E5587E973A9E78DBD4F40421AFB5A47BE5CF38C944CB40

Function 0000026C9CB84C90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026C9CB84CBB
GetProcAddress.KERNEL32 ref: 0000026C9CB84CCB
GetNativeSystemInfo.KERNELBASE ref: 0000026C9CB84CDB
GetSystemInfo.KERNEL32 ref: 0000026C9CB84CDF

Strings

kernel32.dll, xrefs: 0000026C9CB84C96
GetNativeSystemInfo, xrefs: 0000026C9CB84CC1

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 4c543a427f66828ddaee1c6b6b9de7146d4486ede89bd39138456da059a21970
Instruction ID: 7b93d89bbc848e30fbd4925d11d2df4bfe5e0043c7f40fb5c13d1854be9fc917
Opcode Fuzzy Hash: 4c543a427f66828ddaee1c6b6b9de7146d4486ede89bd39138456da059a21970
Instruction Fuzzy Hash: D501BB35616B85C6DBA0AB50F86837A72F5F788740FA40525D6CE43794EF3EC5648B10

Function 00007FF7F737FEF0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7381260: GetFileAttributesW.KERNEL32 ref: 00007FF7F738133B
Part of subcall function 00007FF7F7381260: GetLastError.KERNEL32 ref: 00007FF7F7381378

SetErrorMode.KERNELBASE ref: 00007FF7F738013D
GetFileAttributesExW.KERNELBASE ref: 00007FF7F738018E
SetErrorMode.KERNEL32 ref: 00007FF7F7380289

Part of subcall function 00007FF7F7381950: CoCreateInstance.OLE32 ref: 00007FF7F73819C4
Part of subcall function 00007FF7F7381950: CoInitialize.OLE32 ref: 00007FF7F73819D6
Part of subcall function 00007FF7F7381950: CoCreateInstance.OLE32 ref: 00007FF7F73819FA

SetErrorMode.KERNELBASE ref: 00007FF7F7380279

Strings

.lnk, xrefs: 00007FF7F737FF6E

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Error$Mode$AttributesCreateFileInstance$InitializeLast
String ID: .lnk
API String ID: 3954637025-24824748
Opcode ID: b24c9fa08b6c10a9395fee26efdd86fb9591dd87fe76247a54ad9b3307d2d46f
Instruction ID: 9767d9c5006a4ebc35a844676f8172238514dda7a31090aca4bf3f6e3ea67c05
Opcode Fuzzy Hash: b24c9fa08b6c10a9395fee26efdd86fb9591dd87fe76247a54ad9b3307d2d46f
Instruction Fuzzy Hash: 73F1C13761968197E720EF25D4402AEB3A0FF84B58F544139EA6D876D8DF3CD942CBA0

Function 0000000140009290 Relevance: 9.1, APIs: 6, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 00000001400092CE
WSAGetLastError.WS2_32 ref: 00000001400092D9

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: ca51bb135ca9b6b53a41005a3fb522d120fffd9efbfa981f642130a86738c22e
Instruction ID: 9b8ff33ad4f21ee875c00557280bc8415497f07eb4acfa47184f87d0d427e899
Opcode Fuzzy Hash: ca51bb135ca9b6b53a41005a3fb522d120fffd9efbfa981f642130a86738c22e
Instruction Fuzzy Hash: E9218EF26006008BF759CF76E4493A936E0E70CB99F650218DB19C76E0CBBAC9D6DB44

Function 0000026C9CB93FEC Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB94017
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB94022
_getptd.LIBCMT ref: 0000026C9CB94048
CreateThread.KERNEL32 ref: 0000026C9CB9409D
GetLastError.KERNEL32 ref: 0000026C9CB940A8
free.LIBCMT ref: 0000026C9CB940B3

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: 1fc69dd64072fa7bf409c8ce7061121ab39990cf21b2db261d2c093eb0dfa2fa
Instruction ID: 5f880ac9181c2f12e2907e79713121bb8487ba28d92c78aa8c40f92f9aecd6a3
Opcode Fuzzy Hash: 1fc69dd64072fa7bf409c8ce7061121ab39990cf21b2db261d2c093eb0dfa2fa
Instruction Fuzzy Hash: AA21A731205B80C6FB54BBA6E5497BEB2B4F784BD8F644225AED9037D6DF3AC4508B00

Function 000000014000C4D8 Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000C503
_invalid_parameter_noinfo.LIBCMT ref: 000000014000C50E
_getptd.LIBCMT ref: 000000014000C534
CreateThread.KERNELBASE ref: 000000014000C589
GetLastError.KERNEL32 ref: 000000014000C594
free.LIBCMT ref: 000000014000C59F

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: b11140e7446571eafd14e7012cf083d785f14c4c77ccc4c9425ccbac4b8ec313
Instruction ID: 37f882430a81e144da6995cd907b33d2ea7b296969054656d38c24131aaea18f
Opcode Fuzzy Hash: b11140e7446571eafd14e7012cf083d785f14c4c77ccc4c9425ccbac4b8ec313
Instruction Fuzzy Hash: A72195B1215B8086EA16DB67B9417DAB290F78CBD0F444625BF69037E6DF38D4508740

Function 00007FF7F7344400 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7F73444C4
GetProcAddress.KERNEL32 ref: 00007FF7F7344586

Strings

winmm, xrefs: 00007FF7F7344464, 00007FF7F7344533
timeSetEvent, xrefs: 00007FF7F73444BA
timeKillEvent, xrefs: 00007FF7F734457C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc
String ID: timeKillEvent$timeSetEvent$winmm
API String ID: 190572456-1618422980
Opcode ID: 122c8a63f252d51b526212ba5446e8d602476a32e04a82d9a1aae74211740df4
Instruction ID: 2760bf511119373caba2bded11ffe22a43d675ce8208d3cec59d250bd99a3d23
Opcode Fuzzy Hash: 122c8a63f252d51b526212ba5446e8d602476a32e04a82d9a1aae74211740df4
Instruction Fuzzy Hash: 6251A479A096919AFB54EF24DC416B8A3A0AF40768F944138ED2E437D9DF3CD847C7A0

Function 000000014000B3B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000014000B3F1

Part of subcall function 000000014000CDD8: HeapFree.KERNEL32(?,?,?,000000014000105E), ref: 000000014000CDEE
Part of subcall function 000000014000CDD8: _errno.LIBCMT ref: 000000014000CDF8

malloc.LIBCMT ref: 000000014000B452
free.LIBCMT ref: 000000014000B46D
SetWaitableTimer.KERNELBASE ref: 000000014000B50C

Strings

bad allocation, xrefs: 000000014000B487

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeapTimerWaitable_errnomalloc
String ID: bad allocation
API String ID: 996728788-2104205924
Opcode ID: f8b2bde9cf209f261d56d6a1b00d68b5bb4cd4d590ef32a8494881bf267ae9a2
Instruction ID: 94c656a112711b9f92b20cc6127c6b9282d1092eb86de163954d4faba0118a15
Opcode Fuzzy Hash: f8b2bde9cf209f261d56d6a1b00d68b5bb4cd4d590ef32a8494881bf267ae9a2
Instruction Fuzzy Hash: 9A412472212B8489EB61DF66E9547D833A8F748BC8F984125EF4D0BB69DF78C551C304

Function 0000000140002B10 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000140002CA9
CloseHandle.KERNELBASE ref: 0000000140002CE7

Strings

l, xrefs: 0000000140002BAF
., xrefs: 0000000140002B9D
n, xrefs: 0000000140002BC1

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AllocCloseHandleVirtual
String ID: .$l$n
API String ID: 1420394295-2376909228
Opcode ID: ce9479c637d506cdde78aefb60dd895aff2b1a61f0d53a8078a23adf0ea733dc
Instruction ID: cecaae5f03fb596294a166a6b727b5315bd6c99abd8d4f327956ccdac3478328
Opcode Fuzzy Hash: ce9479c637d506cdde78aefb60dd895aff2b1a61f0d53a8078a23adf0ea733dc
Instruction Fuzzy Hash: 81519C76324A8086E721DF26E4447DAB761F78DB84F10902AFB4A87BA5DF3DC505CB01

Function 00000001400062D0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000000140006315
setsockopt.WS2_32 ref: 0000000140006338
setsockopt.WS2_32 ref: 0000000140006368
setsockopt.WS2_32 ref: 000000014000638B
SetLastError.KERNEL32 ref: 00000001400063A3

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt$ErrorLast
String ID:
API String ID: 1564866530-0
Opcode ID: a4858c02dc920b4e29ad202f91ccd05f850526e49aa390ca8bb9a02fdcc47647
Instruction ID: 602cb659ebd87d0b786e6d9020230c23cdfcde8f81faa4eb3e089f71648bbc11
Opcode Fuzzy Hash: a4858c02dc920b4e29ad202f91ccd05f850526e49aa390ca8bb9a02fdcc47647
Instruction Fuzzy Hash: EC117271318981C3F720CF65F5043AAA761F7897A8FA40225FB9807EE8CB7EC5498B04

Function 00007FF7F73B57F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7F73B5882

Part of subcall function 00007FF7F73B5B90: GetProcAddress.KERNEL32 ref: 00007FF7F73B5C8C
Part of subcall function 00007FF7F73B5B90: _Init_thread_footer.LIBCMT ref: 00007FF7F73B5D07

Strings

/data, xrefs: 00007FF7F73B5A5C
/, xrefs: 00007FF7F73B59A0
/, xrefs: 00007FF7F73B5900

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressFolderInit_thread_footerPathProcSpecial
String ID: /$/$/data
API String ID: 4283787320-2895359887
Opcode ID: d1e49fa3896eafa6007d938f4fdc5880bf972e46184820727c7f6e229fefdf32
Instruction ID: eba84cacabc52a3cba8f40eae5bb7c311e7dfb9965917a082535bd0e7589b4fb
Opcode Fuzzy Hash: d1e49fa3896eafa6007d938f4fdc5880bf972e46184820727c7f6e229fefdf32
Instruction Fuzzy Hash: C7B1C23AA0968157EB10EB2DD49017DB3A0FF847A4F944135EA6E836D6DF3CD846CB90

Function 000000014000A550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 000000014000A588
WSAGetLastError.WS2_32 ref: 000000014000A596
WSAResetEvent.WS2_32 ref: 000000014000A5D3

Strings

, xrefs: 000000014000A6A2

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: fa868995986a14abb85073b18f218ae2a53ef825df2d0f67fe1e49d6a425e339
Instruction ID: 5a56c2ca883d86df65ce7083488b71bfca8bd6176ccbe13178db47678fe34849
Opcode Fuzzy Hash: fa868995986a14abb85073b18f218ae2a53ef825df2d0f67fe1e49d6a425e339
Instruction Fuzzy Hash: BD513AB2204B448BE762CF26E40479A77F1F78DBD8F190215EB89472A9DB7EC9458B40

Function 0000026C9CB81470 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000026C9CB814A6
CancelIo.KERNEL32 ref: 0000026C9CB814B3
closesocket.WS2_32 ref: 0000026C9CB814C3
SetEvent.KERNEL32 ref: 0000026C9CB814CD

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 2a9ad9b7fa4f886587210fcf5cdafb31a936560bafd6b588060e346cf5de1bbb
Instruction ID: ce0ffe7f9e1570da9ba7108c18ec1eda5a1a8d6658b0f1fc1e4fcf1126c827a9
Opcode Fuzzy Hash: 2a9ad9b7fa4f886587210fcf5cdafb31a936560bafd6b588060e346cf5de1bbb
Instruction Fuzzy Hash: 00F03732604A80C3D7049F25E548369B3B0F785B64FA04325EBBD07BA4CF7AC46AC700

Function 0000000140001470 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00000001400014A6
CancelIo.KERNEL32 ref: 00000001400014B3
closesocket.WS2_32 ref: 00000001400014C3
SetEvent.KERNEL32 ref: 00000001400014CD

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 49c26dcf36976051189be324e92bcf16e191800432304aafcf15dff69e109372
Instruction ID: 2d1809b97a9702a462fefa8dca50ef9d6389b22542af97769ffcb03c0baeda86
Opcode Fuzzy Hash: 49c26dcf36976051189be324e92bcf16e191800432304aafcf15dff69e109372
Instruction Fuzzy Hash: 28F0F936204A8097E751CF26E5443A9B370F789BB4F504325EB6D47BA5CF39C5AACB00

Function 00007FF7F7349080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 335libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F73364F0: GetModuleFileNameW.KERNEL32 ref: 00007FF7F7336523

LoadLibraryExW.KERNELBASE ref: 00007FF7F73493AE

Strings

.dll, xrefs: 00007FF7F7349302
PATH, xrefs: 00007FF7F734919F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: FileLibraryLoadModuleName
String ID: .dll$PATH
API String ID: 1159719554-3816765965
Opcode ID: c5343b12e3117846d8bc79dda1a13aca70fa381a8a0851b60b5b434cecc1e18b
Instruction ID: 3a6f0d85c9fd13305819a25d536cade7528d9fb7343143a6d9544cee10f8dcda
Opcode Fuzzy Hash: c5343b12e3117846d8bc79dda1a13aca70fa381a8a0851b60b5b434cecc1e18b
Instruction Fuzzy Hash: 64E1A136B09591ABEB50EE35C8412BCB3A0AF45768F944735DA3D836D9DF28D807C7A0

Function 00007FF7F731A440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF7F731A496

Part of subcall function 00007FF7F7319920: GetProcAddress.KERNEL32 ref: 00007FF7F73199E8
Part of subcall function 00007FF7F7319920: GetFileVersionInfoSizeExW.KERNELBASE ref: 00007FF7F7319AC1

Part of subcall function 00007FF7F73197B0: VerSetConditionMask.KERNEL32 ref: 00007FF7F73197E4
Part of subcall function 00007FF7F73197B0: VerSetConditionMask.KERNEL32 ref: 00007FF7F73197F3
Part of subcall function 00007FF7F73197B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF7F7319842
Part of subcall function 00007FF7F73197B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF7F731986A
Part of subcall function 00007FF7F73197B0: VerSetConditionMask.KERNEL32 ref: 00007FF7F7319889
Part of subcall function 00007FF7F73197B0: VerSetConditionMask.KERNEL32 ref: 00007FF7F731989A
Part of subcall function 00007FF7F73197B0: VerSetConditionMask.KERNEL32 ref: 00007FF7F73198AB
Part of subcall function 00007FF7F73197B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF7F73198C1
Part of subcall function 00007FF7F73197B0: VerifyVersionInfoW.KERNEL32 ref: 00007FF7F73198EA

Strings

default, xrefs: 00007FF7F731A578
Qt: Untested Windows version %d.%d detected!, xrefs: 00007FF7F731A593

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Version$ConditionInfoMask$Verify$AddressFileProcSize
String ID: Qt: Untested Windows version %d.%d detected!$default
API String ID: 3189366613-4050888621
Opcode ID: 56fe74357d412eeec9feb3abae344f86caa2346e8b58c8be68436d8c79f3f852
Instruction ID: 13a09615f1b9087181b51c3dc679ab7a9d90676decbb7ee77cb319c1a9359883
Opcode Fuzzy Hash: 56fe74357d412eeec9feb3abae344f86caa2346e8b58c8be68436d8c79f3f852
Instruction Fuzzy Hash: CF418DB9D0C28293EB74A615949077DE3A0EF55371FE0003FD6AE426C5EE9CE84787A0

Function 0000000140001870 Relevance: 5.1, APIs: 4, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000001400018EE
VirtualFree.KERNEL32 ref: 0000000140001928
VirtualAlloc.KERNEL32 ref: 0000000140001995
VirtualFree.KERNEL32 ref: 00000001400019CF

Part of subcall function 0000000140001A80: send.WS2_32 ref: 0000000140001AE3
Part of subcall function 0000000140001A80: send.WS2_32 ref: 0000000140001B30

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFreesend
String ID:
API String ID: 2354595252-0
Opcode ID: d32468d94f511778c6efb9e4a37247997571d09d1ecdf759417b344c15647baf
Instruction ID: c386b83460c13cd3b43a28069926cd7ebcb420af6f38d37e418ea9263e80ce11
Opcode Fuzzy Hash: d32468d94f511778c6efb9e4a37247997571d09d1ecdf759417b344c15647baf
Instruction Fuzzy Hash: BE513C72210B4087E766DF2BF45079AB7A5F788BC4F148129EB8A97B64DF78D445CB00

Function 000000014000A400 Relevance: 4.6, APIs: 3, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008BA0: StrChrW.SHLWAPI ref: 0000000140008BBD

WSASetLastError.WS2_32 ref: 000000014000A499
socket.WS2_32 ref: 000000014000A4AF
WSACreateEvent.WS2_32 ref: 000000014000A504

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateErrorEventLastsocket
String ID:
API String ID: 2854923884-0
Opcode ID: e0cbaf7c63bf1ec2e30ce2e462ca0de58b14044d59c9cdb963edb7254d9caeaa
Instruction ID: 6f895d5ae6b0c7e0c03d244604886a8c65f5e7e6555a5c7cfe512488f2747cee
Opcode Fuzzy Hash: e0cbaf7c63bf1ec2e30ce2e462ca0de58b14044d59c9cdb963edb7254d9caeaa
Instruction Fuzzy Hash: 883183B5604B5086E666DB23B8043EA62E1F7CEBE4F040215BB9A47AF6DFBCC551C701

Function 00000001400066C0 Relevance: 4.5, APIs: 3, Instructions: 41networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32 ref: 00000001400066E8
WSAStringToAddressW.WS2_32 ref: 0000000140006721
htons.WS2_32 ref: 0000000140006733

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AddressErrorLastStringhtons
String ID:
API String ID: 1418563660-0
Opcode ID: a3fb8ebb527ba10d12834dcc094aead56c5fcf668bc44d138c8b989b3c6a5e40
Instruction ID: b0cac0e71a32bd63811cbb38c6314f16192b3d890269d803ef2ef19208760f43
Opcode Fuzzy Hash: a3fb8ebb527ba10d12834dcc094aead56c5fcf668bc44d138c8b989b3c6a5e40
Instruction Fuzzy Hash: 4D01A2B62186A082E7158B26F4153B9A3A1FB48BC8F844025FFDD477A4DA39C9919700

Function 0000026C9CB8BCE0 Relevance: 4.5, APIs: 3, Instructions: 29threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0000026C9CB8BD10
CreateThread.KERNEL32 ref: 0000026C9CB8BD34
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BD44

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateThread$ObjectSingleWait
String ID:
API String ID: 1771687473-0
Opcode ID: 81b2f335489e0c723144b70b464700628b019d4b610a67576bf3cf9a64e068e0
Instruction ID: 73b2172b9501969b97f94f26d11b97a33d67b38a2159de8ae5c5c095779b8346
Opcode Fuzzy Hash: 81b2f335489e0c723144b70b464700628b019d4b610a67576bf3cf9a64e068e0
Instruction Fuzzy Hash: A0018C31906B40C6E768EF71FC99B7633B1F398308FA44269D5CA42AA4CF3EC1148704

Function 0000000140011AA0 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000000140011AB6
GetVersion.KERNEL32 ref: 0000000140011AC8
HeapSetInformation.KERNEL32 ref: 0000000140011AE6

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: dab1620e64bba2d977448fbcf9058565a5723aec7899ea49ad2290dc2e13d490
Instruction ID: 11b2e8d63657c493eb38dd465c5d544629449580d8c01811b72ebb2c961a9503
Opcode Fuzzy Hash: dab1620e64bba2d977448fbcf9058565a5723aec7899ea49ad2290dc2e13d490
Instruction Fuzzy Hash: 33E01A79612A8082FB8AAB56E8497EA2261FB8C785F805019FB4E077A5DF3DC4468704

Function 0000026C9CB400DC Relevance: 3.4, APIs: 2, Instructions: 391memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000026C9CB40157
LoadLibraryA.KERNELBASE ref: 0000026C9CB402BD

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction ID: 042be6fbcf340d861f811d13bbc9479a7c03ed9c2a583731e71d9000e3dc31ac
Opcode Fuzzy Hash: 22a59f860d870a6bcf201ec3191bb530606b5caa03c236b8628a20c22f198a64
Instruction Fuzzy Hash: 83C1C430219E0ACBDB68AE69D889775B3F0FB54311F65413DD8CAC7281DA79E892C7C1

Function 00007FF7F7381450 Relevance: 3.1, APIs: 2, Instructions: 123COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF7F738152E
GetFullPathNameW.KERNEL32 ref: 00007FF7F7381583

Part of subcall function 00007FF7F7319CB0: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7319CDF

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: FullNamePath$ExceptionThrow
String ID:
API String ID: 606229857-0
Opcode ID: cef41dd83b95d9f355ff0fae64ef258b4847377f3d45da9317d33ccdc43f3009
Instruction ID: 2ec1993c1fa698a755420ecb37e69ad8d29c09aaebb3eefe12489df4a92faa29
Opcode Fuzzy Hash: cef41dd83b95d9f355ff0fae64ef258b4847377f3d45da9317d33ccdc43f3009
Instruction Fuzzy Hash: F051A7776086C196DB20EF55E4402AEB360FB84BA4F944139DA9D837D4DF7CD546CB80

Function 00007FF7F7314190 Relevance: 3.1, APIs: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF7F7314AA0), ref: 00007FF7F73141F7
VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,00007FF7F7314AA0), ref: 00007FF7F731425E

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 8f8e47707ebd93ed1f71c6a183001e7ecbe9b94e491bc39c99885a78eb5476a0
Instruction ID: ab3de2f94b6ecabe32bc8e55b2acd381b2c23fa5e17cef97d64da0b11c624e43
Opcode Fuzzy Hash: 8f8e47707ebd93ed1f71c6a183001e7ecbe9b94e491bc39c99885a78eb5476a0
Instruction Fuzzy Hash: BE21F4BAF14A8582EF20DB06D450A68A361FBA4FD4FD65035CE1D47791DE3CD892C790

Function 0000000140001A80 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000140001AE3
send.WS2_32 ref: 0000000140001B30

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4d82d8ce8297748054077ff5a83405a44117ba6789b74d22cb788790d759d827
Instruction ID: a9a0367f8085be0a3a8f34c5c9eb81f2418d8be8a90d8d859ca2e5cd89ffc5f9
Opcode Fuzzy Hash: 4d82d8ce8297748054077ff5a83405a44117ba6789b74d22cb788790d759d827
Instruction Fuzzy Hash: B921E1B2704A9041E3618F27B8407EAB694F7CDBD4F045121FF5983BA2FBB8C4828300

Function 0000000140001750 Relevance: 3.1, APIs: 2, Instructions: 64networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000C364: malloc.LIBCMT ref: 000000014000C37E

select.WS2_32 ref: 00000001400017E5
recv.WS2_32 ref: 0000000140001807

Part of subcall function 0000000140001BD0: VirtualAlloc.KERNEL32(?,?,?,?,?,000000014000181F), ref: 0000000140001D5E

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: AllocVirtualmallocrecvselect
String ID:
API String ID: 1241053632-0
Opcode ID: 505b6903d59803aef40d8381a865ccc397fe224001b798411c91ea7f351c35a7
Instruction ID: e79e53effcdf3112c95f2337ea6b6acd2f53d3d590a13a7037282b1afe0fdc01
Opcode Fuzzy Hash: 505b6903d59803aef40d8381a865ccc397fe224001b798411c91ea7f351c35a7
Instruction Fuzzy Hash: 1D219CB2714A8081EB71DF26F5543EA63A0E789FC8F408125EB5D87BA9EF38C1458B00

Function 0000026C9CB8C9F0 Relevance: 3.0, APIs: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 0000026C9CB8CA2F
free.LIBCMT ref: 0000026C9CB8CA6D

Part of subcall function 0000026C9CB872B0: GdipDisposeImage.GDIPLUS ref: 0000026C9CB872ED
Part of subcall function 0000026C9CB872B0: GdipFree.GDIPLUS ref: 0000026C9CB872FB

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$CreateDisposeFreeHeapImagefree
String ID:
API String ID: 1469048323-0
Opcode ID: 1e852e01241bb4f9f199057eb3e4331d9c0c2a302e0f1085875ebc1fe2c2c545
Instruction ID: dae731aab3e7e43c1ed64305412f85e523cdb1364ea630222100eea01466795a
Opcode Fuzzy Hash: 1e852e01241bb4f9f199057eb3e4331d9c0c2a302e0f1085875ebc1fe2c2c545
Instruction Fuzzy Hash: 3D116AB3111B80CAE754DF25E48462D77F8F788B88F685419EF8913B29CB39C8A0CB44

Function 0000000140004F00 Relevance: 3.0, APIs: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 0000000140004F3F
free.LIBCMT ref: 0000000140004F7D

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CreateHeapfree
String ID:
API String ID: 2345683253-0
Opcode ID: 28c10530bac5da55857837622ebc9bb0a9222c4d30909a16d0c3f2103b32b967
Instruction ID: e9c3ad32272f9072ca89ff6d639c6e7b0cee97d95a3e8c3e1d0d463da563d760
Opcode Fuzzy Hash: 28c10530bac5da55857837622ebc9bb0a9222c4d30909a16d0c3f2103b32b967
Instruction Fuzzy Hash: C8116AB3114B808AD751CF26E48075D77B8F788B88F685029EF9917B29CB34C8A1CB48

Function 00000001400063C0 Relevance: 3.0, APIs: 2, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00000001400063F6
WSAGetLastError.WS2_32 ref: 0000000140006401

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorIoctlLast
String ID:
API String ID: 4052769934-0
Opcode ID: 312aed48b350a6209cc86974967232855cb715dd87e6e1548b6b0fe6eba230ae
Instruction ID: f01f3c849799de985b5d5e858bfb08d7df10fa5871a8be8eb346f901d8f668c6
Opcode Fuzzy Hash: 312aed48b350a6209cc86974967232855cb715dd87e6e1548b6b0fe6eba230ae
Instruction Fuzzy Hash: F7F08272504740C3D7118F20B48029AB7A5F7C8760F940339FBAD46AA4CB3CC699DE00

Function 0000000140001B80 Relevance: 3.0, APIs: 2, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140001B90
SleepEx.KERNELBASE ref: 0000000140001B9B

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 603a922227ff03948ea78d4582b52cf0cf5df44459da400247924caec94784ac
Instruction ID: e61617ec54a607614f8729d208c7933ec504356b0bf9dae2a8fcd807036d5cba
Opcode Fuzzy Hash: 603a922227ff03948ea78d4582b52cf0cf5df44459da400247924caec94784ac
Instruction Fuzzy Hash: 3CE0EC7261494085E752DB7BA85436423A1FB8CF64F1407219B7D8A2E5CE35C0419264

Function 0000000140001070 Relevance: 2.6, APIs: 2, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000001400010E8
VirtualFree.KERNELBASE ref: 0000000140001123

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 0b4d83cdc7f3374882a2405b78c883344f199d32df5bac03a6686caa87e666e1
Instruction ID: 70cb798ce691b1d1b3747c3c80cce9e382c7a2f5387daa1aeb325cd09070d138
Opcode Fuzzy Hash: 0b4d83cdc7f3374882a2405b78c883344f199d32df5bac03a6686caa87e666e1
Instruction Fuzzy Hash: B241E4B2700A8486D71ACF2AE9407D9A7A1F788BC8F048529FF4A47B69DE34C891C740

Function 00000001400011E0 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000140001251
VirtualFree.KERNELBASE ref: 0000000140001285

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 35ec61db66e325779c8396a2d5ca1d82070d184fb1970e64289eed608e10a2fb
Instruction ID: f16518db71c21787d7e0962e8ac704ec91cd38b893080e9dde5852ea236419e3
Opcode Fuzzy Hash: 35ec61db66e325779c8396a2d5ca1d82070d184fb1970e64289eed608e10a2fb
Instruction Fuzzy Hash: E2217F72714A4086D746CB2AF54039963A1F78CBC4F548525FB5997B58DF34D8E28B40

Function 0000026C9CB96AE8 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0000026C9CB96B0F

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointer
String ID:
API String ID: 3527080286-0
Opcode ID: 9da76b86c43469502cb9962a14670a8e5049ec898b9d5911d73b5e2543db7b42
Instruction ID: ba10ca93fc3ce3adecbb10fc561c3f58aeee1361be2677ef7c62d7882972e79e
Opcode Fuzzy Hash: 9da76b86c43469502cb9962a14670a8e5049ec898b9d5911d73b5e2543db7b42
Instruction Fuzzy Hash: 3A011A36A14B84C2E764AB62F44572AB764F799BC4F684525EFCC07F59CE39C5118A00

Function 00007FF7F7340E40 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F7340E7A

Part of subcall function 00007FF7F7344400: GetProcAddress.KERNEL32 ref: 00007FF7F7344586

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressCurrentProcThread
String ID:
API String ID: 3962317920-0
Opcode ID: acc812e3850b7be8dd11515c35d5aee543ce9ef8fc169abd74eb55cbd8338b55
Instruction ID: 99517b35d93ec8e280f5e39e78bf18f2cb98a989860e0b78884c58b4ab6f037a
Opcode Fuzzy Hash: acc812e3850b7be8dd11515c35d5aee543ce9ef8fc169abd74eb55cbd8338b55
Instruction Fuzzy Hash: 8711E836509F8184D3809F34F94139973E8F709B58FA44239DAAC877A9EF388065C720

Function 00007FF7F7340DD0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF7F7340E14

Part of subcall function 00007FF7F7340E40: GetCurrentThreadId.KERNEL32 ref: 00007FF7F7340E7A

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentThreadstd::bad_exception::bad_exception
String ID:
API String ID: 299378639-0
Opcode ID: 058f0110385e271502d91cabf9693d420978a267fc73d507fc430bd55fc21fba
Instruction ID: 8dfb33ca87a8df9487d93f47f4686d1fe29d5f1808fcd351b608dd058051c237
Opcode Fuzzy Hash: 058f0110385e271502d91cabf9693d420978a267fc73d507fc430bd55fc21fba
Instruction Fuzzy Hash: A3F08225709B8252DB54AB15F805169E2A4AF497E0FD44338EFBC077E6DE3CD0918650

Function 000000014001DFF0 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000014001E020

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 90d8150e3757ef238170da936ae11fff972097fbe498c69ec85e5f8ebc6fd6bb
Instruction ID: 2911937ff579bdcfe6b4ac6631c023d3c56698f6ad4b92838af04f44b9dc91a7
Opcode Fuzzy Hash: 90d8150e3757ef238170da936ae11fff972097fbe498c69ec85e5f8ebc6fd6bb
Instruction Fuzzy Hash: 84F05276220A84DAEB12EF25E8193D873A4F74C784F808016FB8D8B768DF38C2118B00

Function 000000014000C408 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E71C: GetLastError.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E726
Part of subcall function 000000014000E71C: FlsGetValue.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E734
Part of subcall function 000000014000E71C: FlsSetValue.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E760
Part of subcall function 000000014000E71C: GetCurrentThreadId.KERNEL32 ref: 000000014000E774
Part of subcall function 000000014000E71C: SetLastError.KERNEL32(?,?,?,000000014000E559,?,?,?,?,000000014000CDFD,?,?,?,000000014000105E), ref: 000000014000E78C

ExitThread.KERNEL32 ref: 000000014000C424

Part of subcall function 000000014000E8F8: FlsGetValue.KERNEL32(?,?,?,000000014000C422,?,?,?,?,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000E911
Part of subcall function 000000014000E8F8: FlsSetValue.KERNEL32(?,?,?,000000014000C422,?,?,?,?,?,?,?,?,?,?,?,00000001400015D2), ref: 000000014000E922
Part of subcall function 000000014000E8F8: _freefls.LIBCMT ref: 000000014000E92B

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls
String ID:
API String ID: 1216290073-0
Opcode ID: 50720535ccd6fb1326abae26ff6c97f43710cf1c4642367276e24177af361050
Instruction ID: b3ac20aaedd1452b9766895f4c06c775f723c0e6f08f999d19768f29f34785b6
Opcode Fuzzy Hash: 50720535ccd6fb1326abae26ff6c97f43710cf1c4642367276e24177af361050
Instruction Fuzzy Hash: 73C002B471238441FE2EB7B6345A7A811506B5D780E441438BA5A1B3A3DD7984094300

Function 0000000140006270 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000000140006290

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e95747ce8f3f3750f5459e05a253b64576bad900133d075150429dbf0668e463
Instruction ID: cf5048b8f6b0cb3c2e2677f4137b1ab2fc995b420aa23efcee12e8e639857660
Opcode Fuzzy Hash: e95747ce8f3f3750f5459e05a253b64576bad900133d075150429dbf0668e463
Instruction Fuzzy Hash: 5AC012716141C187E720DF14D4053966B20F789344F900525F78806AA4C77DC25ACF04

Function 00000001400062A0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00000001400062C0

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: aad93ee022f5210646a99c84337d3774725d5d85ae8e5a47ae194036c45a8d95
Instruction ID: f9c991f187c9692375a014dc1883362d59b838f17bd84156b4685b9339654db1
Opcode Fuzzy Hash: aad93ee022f5210646a99c84337d3774725d5d85ae8e5a47ae194036c45a8d95
Instruction Fuzzy Hash: D0C012716141C187E720DF14D4043966B20F789348F900525FB8806AA4C77EC25ACF04

Function 00007FF7F7401C00 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7F74039B5,?,?,00000000,00007FF7F740803F,?,?,?,00007FF7F7400B83,?,?,?,00007FF7F7400A79), ref: 00007FF7F7401C3E

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 460da5771890f454806aba5e565a12d6929184467c6de6092689245f29d5b967
Instruction ID: 65916961f8ad360d459a7bd5baa3affcc5baf7a410bf5a190fdac09dcdaa376e
Opcode Fuzzy Hash: 460da5771890f454806aba5e565a12d6929184467c6de6092689245f29d5b967
Instruction Fuzzy Hash: 50F08208B4D24246FF6876616840378D1944F957A2FC80230DD3F862C5DF2CE48359B4

Non-executed Functions

Function 0000026C9CB85280 Relevance: 59.7, APIs: 25, Strings: 9, Instructions: 202libraryloaderprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 0000026C9CB8530B
CreateProcessA.KERNEL32 ref: 0000026C9CB8536E
OpenProcess.KERNEL32 ref: 0000026C9CB85393
LoadLibraryA.KERNEL32 ref: 0000026C9CB853C1
GetProcAddress.KERNEL32 ref: 0000026C9CB853D1
LoadLibraryA.KERNEL32 ref: 0000026C9CB853E2
GetProcAddress.KERNEL32 ref: 0000026C9CB853F2
LoadLibraryA.KERNEL32 ref: 0000026C9CB85403
GetProcAddress.KERNEL32 ref: 0000026C9CB85413
LoadLibraryA.KERNEL32 ref: 0000026C9CB85424
GetProcAddress.KERNEL32 ref: 0000026C9CB85434
GetCurrentProcess.KERNEL32 ref: 0000026C9CB8543E
GetProcessId.KERNEL32 ref: 0000026C9CB85447
GetModuleFileNameA.KERNEL32 ref: 0000026C9CB8547B
VirtualAllocEx.KERNEL32 ref: 0000026C9CB854B1
WriteProcessMemory.KERNEL32 ref: 0000026C9CB854D4

Strings

%s%s, xrefs: 0000026C9CB8531F
h, xrefs: 0000026C9CB852EB
Kernel32.dll, xrefs: 0000026C9CB853BA, 0000026C9CB853D7, 0000026C9CB853F8, 0000026C9CB85419
WaitForSingleObject, xrefs: 0000026C9CB8542A
Windows\System32\svchost.exe, xrefs: 0000026C9CB85311
OpenProcess, xrefs: 0000026C9CB853C7
ExitProcess, xrefs: 0000026C9CB853E8
WinExec, xrefs: 0000026C9CB85409
@, xrefs: 0000026C9CB85525

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Process$AddressLibraryLoadProc$AllocCreateCurrentDirectoryFileMemoryModuleNameOpenSystemVirtualWrite
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 675209239-4110464286
Opcode ID: cb6061bd00fcf5d5817a298436270a70da75f0555b869f46bbdfee4cd9ce1f11
Instruction ID: fa2f060eb592f5cf070ba75698728f287e45628c92b8bb6be58aae88b00f764d
Opcode Fuzzy Hash: cb6061bd00fcf5d5817a298436270a70da75f0555b869f46bbdfee4cd9ce1f11
Instruction Fuzzy Hash: CCA11731612B81C6EB20EF61E8587BA77F5F749B88F900025DACA07A58DF7BC249C740

Function 0000026C9CB8C1B0 Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 184filesynchronizationstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0000026C9CB8C215
GetTickCount.KERNEL32 ref: 0000026C9CB8C21B
GetTickCount.KERNEL32 ref: 0000026C9CB8C232
OpenClipboard.USER32 ref: 0000026C9CB8C240
GetClipboardData.USER32 ref: 0000026C9CB8C24B
GlobalSize.KERNEL32 ref: 0000026C9CB8C260
GlobalLock.KERNEL32 ref: 0000026C9CB8C26D
wsprintfW.USER32 ref: 0000026C9CB8C2DD
GlobalUnlock.KERNEL32 ref: 0000026C9CB8C308
CloseClipboard.USER32 ref: 0000026C9CB8C30E
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8C32B
CreateFileW.KERNEL32 ref: 0000026C9CB8C359
SetFilePointer.KERNEL32 ref: 0000026C9CB8C375
lstrlenW.KERNEL32 ref: 0000026C9CB8C382
WriteFile.KERNEL32 ref: 0000026C9CB8C3A0
CloseHandle.KERNEL32 ref: 0000026C9CB8C3A9
ReleaseMutex.KERNEL32 ref: 0000026C9CB8C3B6
lstrlenW.KERNEL32 ref: 0000026C9CB8C405
wsprintfW.USER32 ref: 0000026C9CB8C459
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8C469
CreateFileW.KERNEL32 ref: 0000026C9CB8C497
SetFilePointer.KERNEL32 ref: 0000026C9CB8C4B3
lstrlenW.KERNEL32 ref: 0000026C9CB8C4BE
WriteFile.KERNEL32 ref: 0000026C9CB8C4DA
CloseHandle.KERNEL32 ref: 0000026C9CB8C4E3
ReleaseMutex.KERNEL32 ref: 0000026C9CB8C4F0

Strings

[esc], xrefs: 0000026C9CB8C421
[, xrefs: 0000026C9CB8C2CB
f, xrefs: 0000026C9CB8C428

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: File$ClipboardCloseGloballstrlen$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWritewsprintf$DataLockOpenSizeSleepUnlock
String ID: [$[esc]$f
API String ID: 4024049034-3848119899
Opcode ID: 97fd7cb3ef38961945420586d2202e0037aa361a794408fddb7f4b1b4befad8b
Instruction ID: a9d4b7576ceac4c53acb14df34965f958b79cc8a1e245e0691e0cabdd774f7b8
Opcode Fuzzy Hash: 97fd7cb3ef38961945420586d2202e0037aa361a794408fddb7f4b1b4befad8b
Instruction Fuzzy Hash: 6A917D71212A45C6EB10FB25E8587BA77F0FB94B84FA44125DACA43AA5DF3FC549C700

Function 0000026C9CB88FC0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 304windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0000026C9CB89006
GetDC.USER32 ref: 0000026C9CB8900F
CreateCompatibleDC.GDI32 ref: 0000026C9CB8901B
GetDC.USER32 ref: 0000026C9CB89027
GetDeviceCaps.GDI32 ref: 0000026C9CB89038
GetDeviceCaps.GDI32 ref: 0000026C9CB89048
ReleaseDC.USER32 ref: 0000026C9CB89065
GetSystemMetrics.USER32 ref: 0000026C9CB89083
GetSystemMetrics.USER32 ref: 0000026C9CB890B9
GetSystemMetrics.USER32 ref: 0000026C9CB8910C
GetSystemMetrics.USER32 ref: 0000026C9CB89126
CreateCompatibleBitmap.GDI32 ref: 0000026C9CB89144
SelectObject.GDI32 ref: 0000026C9CB89158
SetStretchBltMode.GDI32 ref: 0000026C9CB89166
GetSystemMetrics.USER32 ref: 0000026C9CB89171
GetSystemMetrics.USER32 ref: 0000026C9CB8918B
StretchBlt.GDI32 ref: 0000026C9CB891D1
GetDIBits.GDI32 ref: 0000026C9CB89277

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

DeleteObject.GDI32 ref: 0000026C9CB8932B
DeleteObject.GDI32 ref: 0000026C9CB89335
ReleaseDC.USER32 ref: 0000026C9CB89340
DeleteObject.GDI32 ref: 0000026C9CB893CE
DeleteObject.GDI32 ref: 0000026C9CB893D8
ReleaseDC.USER32 ref: 0000026C9CB893E3

Strings

gfff, xrefs: 0000026C9CB8909D
, xrefs: 0000026C9CB891A0
gfff, xrefs: 0000026C9CB890CE

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch$BitmapBitsDesktopModeSelectWindowmalloc
String ID: $gfff$gfff
API String ID: 1524144516-4202476792
Opcode ID: d936499b14b76e66d130f8d05095c3ee707fe66b3643cec9522bfb7bd31049c9
Instruction ID: 630541571334697bb97450b2df4cbc5d2f7cf58d3714e3d999a2a884bc500ef2
Opcode Fuzzy Hash: d936499b14b76e66d130f8d05095c3ee707fe66b3643cec9522bfb7bd31049c9
Instruction Fuzzy Hash: C2D1A032B15B40C6E715EB76E45837E73B1FB89B88F244225DE8A57B98EF3AC4458700

Function 0000026C9CB9EC80 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB9ECD6
_errno.LIBCMT ref: 0000026C9CB9ECDD
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9ECE8

Strings

U, xrefs: 0000026C9CB9F264

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 30f2d96b9074e97b7c7e9f06a6e76ee1250dada0a486160a752ccb230227623d
Instruction ID: 7b024e8f60725e0e4ff9318b7bc2593b0660e0517677ab888b198949dce6d3f5
Opcode Fuzzy Hash: 30f2d96b9074e97b7c7e9f06a6e76ee1250dada0a486160a752ccb230227623d
Instruction Fuzzy Hash: 7112E132216A81C6EB20AF25D44837E77B5F385B98F744116EBCA47AA9DB3FC445CB10

Function 0000026C9CB9D160 Relevance: 41.6, APIs: 15, Strings: 8, Instructions: 1317COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB9D1D7
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9D1E2
iswctype.LIBCMT ref: 0000026C9CB9D23A
_whiteout.LIBCMT ref: 0000026C9CB9D253
iswctype.LIBCMT ref: 0000026C9CB9D275

Strings

*, xrefs: 0000026C9CB9D342
%, xrefs: 0000026C9CB9D22C
N, xrefs: 0000026C9CB9D35E
L, xrefs: 0000026C9CB9D359
h, xrefs: 0000026C9CB9D367
I, xrefs: 0000026C9CB9D354
w, xrefs: 0000026C9CB9D375
F, xrefs: 0000026C9CB9D34B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: iswctype$_errno_invalid_parameter_noinfo_whiteout
String ID: %$*$F$I$L$N$h$w
API String ID: 3700623789-4081125726
Opcode ID: 5a47cfcad9870c6166d9b56845e0fa845daf07801b6f0568e4e7a86a5554995e
Instruction ID: 3a43cacbe7f742d51046b4182f051299d8fb4f8d2725d0f497ef73d231edb7a5
Opcode Fuzzy Hash: 5a47cfcad9870c6166d9b56845e0fa845daf07801b6f0568e4e7a86a5554995e
Instruction Fuzzy Hash: 14C2B07261A691C6FB60AF76D0483BE7BB0F785788F744115EAC657B99DB3AC840CB00

Function 0000026C9CB98B00 Relevance: 30.5, APIs: 15, Strings: 2, Instructions: 721COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB94F78: _getptd.LIBCMT ref: 0000026C9CB94F8A

_errno.LIBCMT ref: 0000026C9CB98B73
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB98B7E
_errno.LIBCMT ref: 0000026C9CB98C2A
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB98C35
write_multi_char.LIBCMT ref: 0000026C9CB9921F
write_multi_char.LIBCMT ref: 0000026C9CB99251
write_multi_char.LIBCMT ref: 0000026C9CB992F2
free.LIBCMT ref: 0000026C9CB9930A
write_char.LIBCMT ref: 0000026C9CB9945D
write_char.LIBCMT ref: 0000026C9CB99488

Strings

@, xrefs: 0000026C9CB98BA3
, xrefs: 0000026C9CB991EF

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_getptdfree
String ID: $@
API String ID: 3872287888-1077428164
Opcode ID: 4ad68d052edb4066e7183ac2d39c2eb6e9cce887ff5bc7de5fef0a40779fa4e1
Instruction ID: ec8fa9b2de03bce30bbd0f779517e598af44ff1c3f64a5e5342da50d76466fc6
Opcode Fuzzy Hash: 4ad68d052edb4066e7183ac2d39c2eb6e9cce887ff5bc7de5fef0a40779fa4e1
Instruction Fuzzy Hash: EF52CD72A0A690C6FBA5AB69D44C37E7BB1B74579CF381405DACE477E8D63BC8408B00

Function 0000026C9CB97F58 Relevance: 30.5, APIs: 15, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB94F78: _getptd.LIBCMT ref: 0000026C9CB94F8A

_errno.LIBCMT ref: 0000026C9CB97FC6
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB97FD1
_errno.LIBCMT ref: 0000026C9CB9807A
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB98085
write_multi_char.LIBCMT ref: 0000026C9CB98652
write_multi_char.LIBCMT ref: 0000026C9CB98684
write_multi_char.LIBCMT ref: 0000026C9CB98730
free.LIBCMT ref: 0000026C9CB98749
write_char.LIBCMT ref: 0000026C9CB98888
write_char.LIBCMT ref: 0000026C9CB988A9

Strings

@, xrefs: 0000026C9CB97FF5
, xrefs: 0000026C9CB98622

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_getptdfree
String ID: $@
API String ID: 3872287888-1077428164
Opcode ID: de789989f5679af20ad6b3dcbe4606d5ff2aeb23094d55da5cea7cfbe456f95e
Instruction ID: c4b7adbe74170d37bc43721bc9ce0890dfd36c0c7eea12d864fd826e3bd483ca
Opcode Fuzzy Hash: de789989f5679af20ad6b3dcbe4606d5ff2aeb23094d55da5cea7cfbe456f95e
Instruction Fuzzy Hash: 7952BA7221A690C7FB65AA25D44C3BE7BB0B74178CF785416DACA4B6E5DB3BC840CB01

Function 0000026C9CB85820 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 123libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000026C9CB85867
GetProcAddress.KERNEL32 ref: 0000026C9CB8587A
FreeLibrary.KERNEL32 ref: 0000026C9CB858A6
GetProcAddress.KERNEL32 ref: 0000026C9CB858BD
CreateFileW.KERNEL32 ref: 0000026C9CB85906
GetProcAddress.KERNEL32 ref: 0000026C9CB8594C
WriteFile.KERNEL32 ref: 0000026C9CB8598D
CloseHandle.KERNEL32 ref: 0000026C9CB859A2
Sleep.KERNEL32 ref: 0000026C9CB859B5
GetProcAddress.KERNEL32 ref: 0000026C9CB859C5
FreeLibrary.KERNEL32 ref: 0000026C9CB859E0

Strings

InternetCloseHandle, xrefs: 0000026C9CB859BB
InternetOpenUrlW, xrefs: 0000026C9CB858B3
InternetReadFile, xrefs: 0000026C9CB85942
wininet.dll, xrefs: 0000026C9CB8584A
MSIE 6.0, xrefs: 0000026C9CB85880
InternetOpenW, xrefs: 0000026C9CB8586D

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: d4b34376749ff32eba99456bda1799e250470724f7914fc7af70a848fadcdb06
Instruction ID: 24400fcc7f611c61377dd410b96275a944ed170fa68a51d8e087ef66bfd402cb
Opcode Fuzzy Hash: d4b34376749ff32eba99456bda1799e250470724f7914fc7af70a848fadcdb06
Instruction Fuzzy Hash: 06418132206A41C6FB20AB22F95877A77F0F789BA5FA44121ADC907B54DF7EC4598B04

Function 0000026C9CB921F0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 294threadtimenetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026C9CB9222B
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB92242
CreateWaitableTimerW.KERNEL32 ref: 0000026C9CB92317
SetWaitableTimer.KERNEL32 ref: 0000026C9CB9237A
free.LIBCMT ref: 0000026C9CB923AA
malloc.LIBCMT ref: 0000026C9CB92409
free.LIBCMT ref: 0000026C9CB92424
WSAWaitForMultipleEvents.WS2_32 ref: 0000026C9CB924C2
GetLastError.KERNEL32 ref: 0000026C9CB92554
WSAGetLastError.WS2_32 ref: 0000026C9CB92588

Part of subcall function 0000026C9CB91280: recv.WS2_32 ref: 0000026C9CB912C2
Part of subcall function 0000026C9CB91280: SetLastError.KERNEL32 ref: 0000026C9CB912F0
Part of subcall function 0000026C9CB91280: GetLastError.KERNEL32 ref: 0000026C9CB91325

GetCurrentThreadId.KERNEL32 ref: 0000026C9CB925A5
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB925D1
CloseHandle.KERNEL32 ref: 0000026C9CB925F3

Strings

bad allocation, xrefs: 0000026C9CB92440
---------------> Client Worker Thread 0x%08X stoped <---------------, xrefs: 0000026C9CB925D9
---------------> Client Worker Thread 0x%08X started <---------------, xrefs: 0000026C9CB92233

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentErrorLastThread$TimerWaitablefree$CloseCreateEventsHandleMultipleWaitmallocrecv
String ID: ---------------> Client Worker Thread 0x%08X started <---------------$---------------> Client Worker Thread 0x%08X stoped <---------------$bad allocation
API String ID: 1496484581-800104984
Opcode ID: a483d8a4f07ee7daca44cb9bd2cf3cbe87aec68c923bb870d730149bae29c94a
Instruction ID: 4c021a7c22d31e4d970747619d2afbc85d95eaad42067b551fb8804eca4911d8
Opcode Fuzzy Hash: a483d8a4f07ee7daca44cb9bd2cf3cbe87aec68c923bb870d730149bae29c94a
Instruction Fuzzy Hash: 46C19F32602B40C6EB68AF25E95837E73F4F744B98F644115DADA877A5DF3AC815C301

Function 00007FF7F7408B9C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7F7408BE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F74091E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7409398
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F74095AC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7409855
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7409A52
memcpy_s.LIBCPMT ref: 00007FF7F7409B3D
memcpy_s.LIBCPMT ref: 00007FF7F7409BE8
memcpy_s.LIBCPMT ref: 00007FF7F7409CAE

Strings

1#INF, xrefs: 00007FF7F7409D7F
1#QNAN, xrefs: 00007FF7F7409D6C
1#IND, xrefs: 00007FF7F7409D54
1#SNAN, xrefs: 00007FF7F7409D60

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 32cef84cd1dc972d3f30f67bf0faffc5798012c0ccfd2e5b877c42ffa3d6f4fc
Instruction ID: e1ce67f6048584e1d7c00c52a99cd83e5c17e6a3eee0e4c13768e2e385e39a43
Opcode Fuzzy Hash: 32cef84cd1dc972d3f30f67bf0faffc5798012c0ccfd2e5b877c42ffa3d6f4fc
Instruction Fuzzy Hash: 05B2E57AF182828BE7649F24D5407FDB7A1FB54385F805139DA2D97AC4DB3CA902CB90

Function 0000026C9CB898D0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000026C9CB89963
lstrlenW.KERNEL32 ref: 0000026C9CB89985
wsprintfW.USER32 ref: 0000026C9CB899E1
ExpandEnvironmentStringsW.KERNEL32 ref: 0000026C9CB89A48
lstrcatW.KERNEL32 ref: 0000026C9CB89A83
lstrcatW.KERNEL32 ref: 0000026C9CB89A90
lstrcpyW.KERNEL32 ref: 0000026C9CB89A9E
CreateProcessW.KERNEL32 ref: 0000026C9CB89B0D

Strings

%s\shell\open\command, xrefs: 0000026C9CB899D3
WinSta0\Default, xrefs: 0000026C9CB89AC0
"%1, xrefs: 0000026C9CB89A4E
, xrefs: 0000026C9CB89972
h, xrefs: 0000026C9CB89AB4

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: $"%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-2159495357
Opcode ID: dfd323aeb03c13e2d7b38d1d30753097b8c80399a4e347c45ec02a5e266f6bc6
Instruction ID: 3ce4d8a3a10181fc294ae781f714a71ec0520d45cbc3537413abc7d0eea93acf
Opcode Fuzzy Hash: dfd323aeb03c13e2d7b38d1d30753097b8c80399a4e347c45ec02a5e266f6bc6
Instruction Fuzzy Hash: 9D619E31722A45C5FF20EB61D8987F973B5FB88748FA00025DA8D46A99EF3AC649C710

Function 0000026C9CB8BDD0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 113synchronizationfilestringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 0000026C9CB8BE0D
lstrcatW.KERNEL32 ref: 0000026C9CB8BE1D
CreateMutexW.KERNEL32 ref: 0000026C9CB8BE2A
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BE3D
CreateFileW.KERNEL32 ref: 0000026C9CB8BE6B
GetFileSize.KERNEL32 ref: 0000026C9CB8BE79
CloseHandle.KERNEL32 ref: 0000026C9CB8BE84
DeleteFileW.KERNEL32 ref: 0000026C9CB8BE95
ReleaseMutex.KERNEL32 ref: 0000026C9CB8BEA2
DirectInput8Create.DINPUT8 ref: 0000026C9CB8BEC3
GetTickCount.KERNEL32 ref: 0000026C9CB8BF7B

Strings

\sys_vdio.key, xrefs: 0000026C9CB8BE13
<, xrefs: 0000026C9CB8BF46

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeTickWaitlstrcat
String ID: <$\sys_vdio.key
API String ID: 3264482950-1798576524
Opcode ID: 1c1d0dc86c9ff9c9df10a55f1d15d96183aa64237dc76bcdb1e2e0bd592c1929
Instruction ID: ec0e85870cc3213a655ad338b9cef320cc01a6b8aab5cad5d26a3fbbc0e5f29d
Opcode Fuzzy Hash: 1c1d0dc86c9ff9c9df10a55f1d15d96183aa64237dc76bcdb1e2e0bd592c1929
Instruction Fuzzy Hash: 46510A31201A45C6EB10EF26E868B7A37B5F798B89F604425DACE47BA4DF3BC449C740

Function 0000026C9CB5E751 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB5E7A7
_errno.LIBCMT ref: 0000026C9CB5E7AE
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB5E7B9

Strings

U, xrefs: 0000026C9CB5ED35

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 9f96dc6598ded2c050553f4775ecba739cf52e8cf7bfc7702792ad462be09d09
Instruction ID: 8d05af604ccfa80e0dcc2d3fd2554be2d30862863765662f2faebcdbb87be62e
Opcode Fuzzy Hash: 9f96dc6598ded2c050553f4775ecba739cf52e8cf7bfc7702792ad462be09d09
Instruction Fuzzy Hash: BD32B431119AC5CBE719AB68D8497BA73F1FB95344F24051DE8C7C31D2DA3AD842DB82

Function 0000026C9CB83A60 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 186stringregistrycomCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 0000026C9CB83AF5
lstrcatW.KERNEL32 ref: 0000026C9CB83B05
CoCreateInstance.OLE32 ref: 0000026C9CB83B50
wsprintfW.USER32 ref: 0000026C9CB83C45
RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB83C6C
RegQueryValueExW.ADVAPI32 ref: 0000026C9CB83CBE
lstrcatW.KERNEL32 ref: 0000026C9CB83CD2
lstrcatW.KERNEL32 ref: 0000026C9CB83CE2
RegCloseKey.ADVAPI32 ref: 0000026C9CB83CEC

Part of subcall function 0000026C9CB83970: CreateToolhelp32Snapshot.KERNEL32 ref: 0000026C9CB839B1
Part of subcall function 0000026C9CB83970: Process32FirstW.KERNEL32 ref: 0000026C9CB839D0
Part of subcall function 0000026C9CB83970: Process32NextW.KERNEL32 ref: 0000026C9CB83A10
Part of subcall function 0000026C9CB83970: CloseHandle.KERNEL32 ref: 0000026C9CB83A1D

lstrlenW.KERNEL32 ref: 0000026C9CB83D23
lstrcatW.KERNEL32 ref: 0000026C9CB83D37

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 0000026C9CB83C3A

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: lstrcat$CloseCreateProcess32$FirstHandleInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}
API String ID: 2719888535-4035668053
Opcode ID: d33f07defdf78316018c5fc0878d74b5aedf32f29980ee74f23bdecb8d2c4bf9
Instruction ID: 87ee099aacb2353d15c6f338ba1ca2d5c1eb4334b5dffed62478e122fab434e1
Opcode Fuzzy Hash: d33f07defdf78316018c5fc0878d74b5aedf32f29980ee74f23bdecb8d2c4bf9
Instruction Fuzzy Hash: C5916B72701B90C6EB10EF65E8846BD7BB1F788B88F600116DE8D57A68DF3AC559CB00

Function 0000026C9CB9FD10 Relevance: 20.3, APIs: 13, Instructions: 754COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB94F78: _getptd.LIBCMT ref: 0000026C9CB94F8A

_errno.LIBCMT ref: 0000026C9CB9FD87
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9FD92
DecodePointer.KERNEL32 ref: 0000026C9CBA036C
DecodePointer.KERNEL32 ref: 0000026C9CBA03AD
DecodePointer.KERNEL32 ref: 0000026C9CBA03D2
write_multi_char.LIBCMT ref: 0000026C9CBA046C
write_multi_char.LIBCMT ref: 0000026C9CBA04A1
write_char.LIBCMT ref: 0000026C9CBA04ED
write_multi_char.LIBCMT ref: 0000026C9CBA0545
free.LIBCMT ref: 0000026C9CBA056C
_errno.LIBCMT ref: 0000026C9CBA0827
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA0832

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointerwrite_multi_char$_errno_invalid_parameter_noinfo$_getptdfreewrite_char
String ID:
API String ID: 3562693915-0
Opcode ID: 43b494f0418648be60998cf239ea68d13273c4f8f163afde2bbbfde4244db2c5
Instruction ID: 48af7cf17b2c29a19a6c07d646dded758f99c250626164ad1c641a559f18bc74
Opcode Fuzzy Hash: 43b494f0418648be60998cf239ea68d13273c4f8f163afde2bbbfde4244db2c5
Instruction Fuzzy Hash: 9E62BD7260AA80C6FB64AB15E45837E7BF1B791798FB44016DBCB57AD4DB7AC840CB00

Function 0000026C9CB89B40 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB89BB6
RegQueryValueExW.ADVAPI32 ref: 0000026C9CB89C29
lstrcpyW.KERNEL32 ref: 0000026C9CB89D80
RegCloseKey.ADVAPI32 ref: 0000026C9CB89D92
RegCloseKey.ADVAPI32 ref: 0000026C9CB89D9D

Strings

%08X, xrefs: 0000026C9CB89D2E

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: e5e4124dce340e64fc084ef5771f100bb91bccaaee7df38b6378f83399f0ca44
Instruction ID: 1ab83d623ea7d2a451242d6c7edd56b5ff5560d92d5d429fff47c5c9ca2b88bd
Opcode Fuzzy Hash: e5e4124dce340e64fc084ef5771f100bb91bccaaee7df38b6378f83399f0ca44
Instruction Fuzzy Hash: D1516431619A80D2EB60EB15E4887BBB3B0F7C4794FA44125EBCD42AA8DF3EC545CB04

Function 0000026C9CB85A10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 102threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 0000026C9CB85AB0
CreateProcessA.KERNEL32 ref: 0000026C9CB85B18
VirtualAllocEx.KERNEL32 ref: 0000026C9CB85B49
WriteProcessMemory.KERNEL32 ref: 0000026C9CB85B6A
GetThreadContext.KERNEL32 ref: 0000026C9CB85B84
SetThreadContext.KERNEL32 ref: 0000026C9CB85B9E
ResumeThread.KERNEL32 ref: 0000026C9CB85BB1

Strings

%s%s, xrefs: 0000026C9CB85AC4
@, xrefs: 0000026C9CB85B3E
Windows\System32\svchost.exe, xrefs: 0000026C9CB85AB6
h, xrefs: 0000026C9CB85A84

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s%s$@$Windows\System32\svchost.exe$h
API String ID: 4033188109-2160973000
Opcode ID: 4603eddee24f2c2698b3de494bfe0deafb39d4e7db297f61fd0084748d6fe062
Instruction ID: f43da4b7ee9677b7309404a10b42d9cc9d677f0b865c594b53a01680162dd2a8
Opcode Fuzzy Hash: 4603eddee24f2c2698b3de494bfe0deafb39d4e7db297f61fd0084748d6fe062
Instruction Fuzzy Hash: 4E419B32215BC1C6EB20EF61E8443BAB7B5F788788F940015EAC957E58DF7AC519CB00

Function 0000026C9CB841F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB82A10: SysFreeString.OLEAUT32 ref: 0000026C9CB82A6D
Part of subcall function 0000026C9CB82A10: SysAllocString.OLEAUT32 ref: 0000026C9CB82AB9

GetTokenInformation.ADVAPI32 ref: 0000026C9CB84266
GetLastError.KERNEL32 ref: 0000026C9CB84270
GetProcessHeap.KERNEL32 ref: 0000026C9CB84283
HeapAlloc.KERNEL32 ref: 0000026C9CB84292
GetTokenInformation.ADVAPI32 ref: 0000026C9CB842BE
LookupAccountSidW.ADVAPI32 ref: 0000026C9CB842FC
GetLastError.KERNEL32 ref: 0000026C9CB84306
GetProcessHeap.KERNEL32 ref: 0000026C9CB84356
HeapFree.KERNEL32 ref: 0000026C9CB84364

Strings

Network, xrefs: 0000026C9CB841F0
NONE_MAPPED, xrefs: 0000026C9CB84313

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountLookup
String ID: NONE_MAPPED$Network
API String ID: 1972796461-3150097737
Opcode ID: dc04e29aa2e29e93e0f6f97a95982f0179af726db92d6d1e0a5c71dd7b62d461
Instruction ID: d1555d9cd84eac1fadbafde1da95cbcecea949e538109b430628dd6c0c8d0041
Opcode Fuzzy Hash: dc04e29aa2e29e93e0f6f97a95982f0179af726db92d6d1e0a5c71dd7b62d461
Instruction Fuzzy Hash: D9414032606A41C6EB20AB11E8987BB73F4FB89B85FA44425EAC947B55DF3EC505CB10

Function 0000026C9CB85040 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000026C9CB85055
OpenProcessToken.ADVAPI32 ref: 0000026C9CB85068
LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB85088
AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB850B2
CloseHandle.KERNEL32 ref: 0000026C9CB850BD
GetModuleHandleA.KERNEL32 ref: 0000026C9CB850CA
GetProcAddress.KERNEL32 ref: 0000026C9CB850DA
OpenProcess.KERNEL32 ref: 0000026C9CB85112

Strings

NtDll.dll, xrefs: 0000026C9CB850C3
NtSetInformationProcess, xrefs: 0000026C9CB850D0
SeDebugPrivilege, xrefs: 0000026C9CB85077

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Process$HandleOpenToken$AddressAdjustCloseCurrentLookupModulePrivilegePrivilegesProcValue
String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
API String ID: 2787840106-1577477132
Opcode ID: de3b0c7de4938cd4d9b60420ee93e2d79fa07d28ae88f8e18ff7779c5da0ff56
Instruction ID: 68f277f404c4067bbc3f578d8188cdcf927993a67e2f46145113366f79acb30d
Opcode Fuzzy Hash: de3b0c7de4938cd4d9b60420ee93e2d79fa07d28ae88f8e18ff7779c5da0ff56
Instruction Fuzzy Hash: E2211B71616A45C3EB10EB61F4593BA77F0FB89B58FA00015AACE47B55DF7BC0498B40

Function 0000026C9CB97B8C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 0000026C9CB97BD1
_set_error_mode.LIBCMT ref: 0000026C9CB97BE2
GetModuleFileNameW.KERNEL32 ref: 0000026C9CB97C44
GetStdHandle.KERNEL32 ref: 0000026C9CB97D59
WriteFile.KERNEL32 ref: 0000026C9CB97DB6

Strings

<program name unknown>, xrefs: 0000026C9CB97C53
Microsoft Visual C++ Runtime Library, xrefs: 0000026C9CB97CFD
Runtime Error!Program: , xrefs: 0000026C9CB97C11
..., xrefs: 0000026C9CB97C96

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: File_set_error_mode$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1085760375-4022980321
Opcode ID: a75b4c166f4ff9e0fa6da0bd796e45336551005c980250f4ac4646e2192a69c9
Instruction ID: 2212d64771e97b8a5c61fc2030e0a7f12c6d892390ad112c7dbbb278cc3a4b94
Opcode Fuzzy Hash: a75b4c166f4ff9e0fa6da0bd796e45336551005c980250f4ac4646e2192a69c9
Instruction Fuzzy Hash: 6251C332306690C2FB64F735E4297BA73F0FB85788FA44115AED943BA6CF3AC5058644

Function 00007FF7F7319F50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 145windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F7319F89
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F7319FE7
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F731A03E

Strings

Permission denied, xrefs: 00007FF7F731A0B2
The specified module could not be found., xrefs: 00007FF7F731A05E
No space left on device, xrefs: 00007FF7F731A0A0
No such file or directory, xrefs: 00007FF7F731A0BB
Too many open files, xrefs: 00007FF7F731A0A9

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: No space left on device$No such file or directory$Permission denied$The specified module could not be found.$Too many open files
API String ID: 1365068426-3654939424
Opcode ID: be521251e698086a4d4e1ef04526cc968ae02a472e1e1e25b1f7a3c59cb21574
Instruction ID: 037260788a355d579ce59a67978e8cb606d85cc487362971c801ad2eba094687
Opcode Fuzzy Hash: be521251e698086a4d4e1ef04526cc968ae02a472e1e1e25b1f7a3c59cb21574
Instruction Fuzzy Hash: 8651713AA04A5197E760EF25D88057CB3A0BF84BB4F948136ED2E836D4DF79D846C790

Function 0000026C9CB8CBF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 0000026C9CB8CC2A
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026C9CB8CD21
CreateEventW.KERNEL32 ref: 0000026C9CB8CD62
CreateEventW.KERNEL32 ref: 0000026C9CB8CD90
CreateEventW.KERNEL32 ref: 0000026C9CB8CDBE

Part of subcall function 0000026C9CB872B0: GdipDisposeImage.GDIPLUS ref: 0000026C9CB872ED
Part of subcall function 0000026C9CB872B0: GdipFree.GDIPLUS ref: 0000026C9CB872FB

Strings

<, xrefs: 0000026C9CB8CC85
`, xrefs: 0000026C9CB8CC9A
<, xrefs: 0000026C9CB8CC8C

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateEvent$Gdip$CountCriticalDisposeFreeImageInitializeSectionSpin
String ID: <$<$`
API String ID: 3048658606-2220807966
Opcode ID: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction ID: 92310ee4e2c47a5c6b96f3d7ee2b046e4ff668954c09234666b816004c6d4cc9
Opcode Fuzzy Hash: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction Fuzzy Hash: 2851DC72202B51C2E718AF34E85876D36B8F745F58F24422DAFA95BB98CF7A8451CB40

Function 0000026C9CB856A0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000026C9CB856B7
OpenProcessToken.ADVAPI32 ref: 0000026C9CB856CA
LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB856F5
AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB85718
GetLastError.KERNEL32 ref: 0000026C9CB8571E
CloseHandle.KERNEL32 ref: 0000026C9CB8572D
CloseHandle.KERNEL32 ref: 0000026C9CB85748

Strings

SeShutdownPrivilege, xrefs: 0000026C9CB856DB

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3435690185-3733053543
Opcode ID: 991f30af3a6744b5f69f974a0569d38b3971da61082ad6ce6e3ec9eac49991d0
Instruction ID: 6b224f155c52d4a053015e8fa4ad8b9bcdb63aabed638518a3f31d048552f9e8
Opcode Fuzzy Hash: 991f30af3a6744b5f69f974a0569d38b3971da61082ad6ce6e3ec9eac49991d0
Instruction Fuzzy Hash: AE115E72626A40C3FB50AB25E85937B77F5F788B40FA04415E9CE86A14DE3EC458CB00

Function 0000026C9CB88997 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47processshutdownCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026C9CB889A3
GetCommandLineW.KERNEL32 ref: 0000026C9CB889A9
GetStartupInfoW.KERNEL32 ref: 0000026C9CB889B6
CreateProcessW.KERNEL32 ref: 0000026C9CB889F3
ExitProcess.KERNEL32 ref: 0000026C9CB889FC
ExitProcess.KERNEL32 ref: 0000026C9CB88A05

Part of subcall function 0000026C9CB856A0: GetCurrentProcess.KERNEL32 ref: 0000026C9CB856B7
Part of subcall function 0000026C9CB856A0: OpenProcessToken.ADVAPI32 ref: 0000026C9CB856CA
Part of subcall function 0000026C9CB856A0: LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB856F5
Part of subcall function 0000026C9CB856A0: AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB85718
Part of subcall function 0000026C9CB856A0: GetLastError.KERNEL32 ref: 0000026C9CB8571E
Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB8572D

ExitWindowsEx.USER32 ref: 0000026C9CB88A1B

Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB85748

Strings

, xrefs: 0000026C9CB889E7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Process$Exit$CloseHandleToken$AdjustCommandCreateCurrentErrorFileInfoLastLineLookupModuleNameOpenPrivilegePrivilegesStartupValueWindows
String ID:
API String ID: 2667809516-3916222277
Opcode ID: a274c2ab89dcb3f931120a1ddd554a39c3b12f7e05ca43a7662b359e7219e845
Instruction ID: 3e602c4fab31665c8c4f2a9b4fffbfda6c94d47fee6445b28abfbff6bff09d7a
Opcode Fuzzy Hash: a274c2ab89dcb3f931120a1ddd554a39c3b12f7e05ca43a7662b359e7219e845
Instruction Fuzzy Hash: 14112176601A40CBE764AF70F8993BE73B4F788758F940115AACA07A99CF3AC155C700

Function 0000026C9CB9C7E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB94F78: _getptd.LIBCMT ref: 0000026C9CB94F8A

_errno.LIBCMT ref: 0000026C9CB9C830
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9C83A
_errno.LIBCMT ref: 0000026C9CB9C85C
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9C868
_errno.LIBCMT ref: 0000026C9CB9C890
_cftoe_l.LIBCMT ref: 0000026C9CB9C8D4

Strings

gfffffff, xrefs: 0000026C9CB9CB5F

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 556f12f472df7c314a951936d8e99cd1d3ce7c173c0ae253b973df429c375633
Instruction ID: 92754716f371ae3e729c15187c2286f6e0c3ffce4a03549d7120517c40cc1056
Opcode Fuzzy Hash: 556f12f472df7c314a951936d8e99cd1d3ce7c173c0ae253b973df429c375633
Instruction Fuzzy Hash: 3BB111737063C8C6EB52DB29C6493BD7BB5A7127D8F248621CB9A077DAE63A8415C310

Function 0000026C9CB93A20 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000026C9CB9656B
RtlLookupFunctionEntry.KERNEL32 ref: 0000026C9CB9658A
RtlVirtualUnwind.KERNEL32 ref: 0000026C9CB965D6
IsDebuggerPresent.KERNEL32 ref: 0000026C9CB96648
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026C9CB96660
UnhandledExceptionFilter.KERNEL32 ref: 0000026C9CB9666D
GetCurrentProcess.KERNEL32 ref: 0000026C9CB96686
TerminateProcess.KERNEL32 ref: 0000026C9CB96694

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a231cb6aec9b0e57251850d34f2610e13ffa11949d7c845deaba270be49158b0
Instruction ID: b5305d5148918f7b53ecec5b4e79ebb6042db30035800cbd7bc08e8058e4b260
Opcode Fuzzy Hash: a231cb6aec9b0e57251850d34f2610e13ffa11949d7c845deaba270be49158b0
Instruction Fuzzy Hash: 2731023190AB84C6EB50AB54F84877A77B4F795794FA04026DACE43BA5DF7EC1548B00

Function 0000026C9CB88933 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 0000026C9CB88967
ClearEventLogW.ADVAPI32 ref: 0000026C9CB8897A
CloseEventLog.ADVAPI32 ref: 0000026C9CB88983

Strings

System, xrefs: 0000026C9CB8894C
Application, xrefs: 0000026C9CB88933
Security, xrefs: 0000026C9CB88941

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 64425f49ed47b34c4a421d998de9bdb23b72944f8aa1223f8da030d793edcbb5
Instruction ID: ce91327e283b6098717e9efabe672ecf95a6dae16ee2fa72b12ceb32a05526ff
Opcode Fuzzy Hash: 64425f49ed47b34c4a421d998de9bdb23b72944f8aa1223f8da030d793edcbb5
Instruction Fuzzy Hash: 4601DE35606B40C6FB25AB26F4983B973F4B78C794F6411268ACD07765EE3AC155C700

Function 00007FF7F7342C00 Relevance: 9.5, APIs: 6, Instructions: 456windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF7F7342E4E
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF7F73430C3
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF7F73431D1
PostMessageW.USER32 ref: 00007FF7F73432BF

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: MessageMultipleObjectsWait$PeekPost
String ID:
API String ID: 105686753-0
Opcode ID: bde40b9d549f6fae919aee2e8763a9875290cbc4817eaa1538dff8214ff397bc
Instruction ID: 90f33b0622a9e56c3e02fac2bda027588f2ca021eadb2220805459c0b9525f49
Opcode Fuzzy Hash: bde40b9d549f6fae919aee2e8763a9875290cbc4817eaa1538dff8214ff397bc
Instruction Fuzzy Hash: F0221236A0CAC197EB14AF24C8413BDA360FF84788F905139DA6E636D5DF39E486C790

Function 00007FF7F73FA144 Relevance: 9.3, APIs: 6, Instructions: 280timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F73FA18E

Part of subcall function 00007FF7F73F932C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F9340

_get_daylight.LIBCMT ref: 00007FF7F73FA17D

Part of subcall function 00007FF7F73F938C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F93A0

_get_daylight.LIBCMT ref: 00007FF7F73FA406
_get_daylight.LIBCMT ref: 00007FF7F73FA417
_get_daylight.LIBCMT ref: 00007FF7F73FA428
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F73FA634), ref: 00007FF7F73FA44F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID:
API String ID: 435049134-0
Opcode ID: 137aa6c628618abedf1ddfa1769073cfff43dc3b72dfa687c4f3e24b5cce473d
Instruction ID: 1ca0fe581c21a3a0861faa25e2790832e43c3a4bb59565289de8c7c91065bffb
Opcode Fuzzy Hash: 137aa6c628618abedf1ddfa1769073cfff43dc3b72dfa687c4f3e24b5cce473d
Instruction Fuzzy Hash: D9B1D22AB0828296EB18FF26D8415B9E351AF857C4F80413AEA7D477D5DF3DE44387A0

Function 00007FF7F73F7648 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7F73F76C1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7F73F76D9
RtlVirtualUnwind.KERNEL32 ref: 00007FF7F73F7714
IsDebuggerPresent.KERNEL32 ref: 00007FF7F73F774D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F73F7757
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7F73F7762

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 87ff3d6eeb635e790895d91028e87dc3f406e0927c6df138aeb043b668ae2b89
Instruction ID: 07b75f05056cb389c232d503058d9957bf88583297a4e8fbfa5e0cc1c69c483d
Opcode Fuzzy Hash: 87ff3d6eeb635e790895d91028e87dc3f406e0927c6df138aeb043b668ae2b89
Instruction Fuzzy Hash: E331A73A614B8196DB24DF24E8402FEB3A4FB88794F900139EAAD43B94DF3CD556CB50

Function 00007FF7F7381B50 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 303fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7F7381BE5
DeviceIoControl.KERNEL32 ref: 00007FF7F7381C64
CloseHandle.KERNEL32 ref: 00007FF7F7381DC1

Strings

\\?\, xrefs: 00007FF7F7381E56
^Volume\{([a-z]|[0-9]|-)+\}\\, xrefs: 00007FF7F7381DDF

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: \\?\$^Volume\{([a-z]|[0-9]|-)+\}\\
API String ID: 33631002-4034573397
Opcode ID: a2c130af8c3b6cf50b6a52d76a7e523c0275167e47f78f66250d50651771c600
Instruction ID: ff73183976e3354f3b2dcdcfb1c3d7d3f371055a02cf4715248a47c07ac47a79
Opcode Fuzzy Hash: a2c130af8c3b6cf50b6a52d76a7e523c0275167e47f78f66250d50651771c600
Instruction Fuzzy Hash: 6DD1903AA0969197EB10EF29E4406BDB3A0FF84754F944239DA6D836D4DF3CD846CB90

Function 0000026C9CB851C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000026C9CB851D3
OpenProcessToken.ADVAPI32 ref: 0000026C9CB851E6
LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB85215
AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB8525A

Strings

SeDebugPrivilege, xrefs: 0000026C9CB8520C

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 2349140579-2896544425
Opcode ID: 3df3e9674ee82a8dd9461d8c8e16cfb09a5d387e4b33b5c3f15a18fe30b99d19
Instruction ID: 787652d7ace9cf58026a41ce19ab7ca32cc9a71d4342b5cbf7a7a4d1df801134
Opcode Fuzzy Hash: 3df3e9674ee82a8dd9461d8c8e16cfb09a5d387e4b33b5c3f15a18fe30b99d19
Instruction Fuzzy Hash: 50113032616B80C3EB10AF51F44926BB3B4F789748F940015EACE46B14DF7EC018CB00

Function 0000026C9CB84F20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI ref: 0000026C9CB84F40
GlobalMemoryStatusEx.KERNEL32 ref: 0000026C9CB84FA8

Strings

C:\Program Files\VMware\VMware Tools\, xrefs: 0000026C9CB84F39
VMware, xrefs: 0000026C9CB84F85
@, xrefs: 0000026C9CB84FA0

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: DirectoryGlobalMemoryPathStatus
String ID: @$C:\Program Files\VMware\VMware Tools\$VMware
API String ID: 2404642766-3945705589
Opcode ID: 9eef2ea4262c92f19372715fd3c3978f4fca6487c545fe70191300ad05ea55d3
Instruction ID: 1c7447c3d7993cd39ed54d8fdba7bbf984ab18c07e6a732b80cffe7b44e1f617
Opcode Fuzzy Hash: 9eef2ea4262c92f19372715fd3c3978f4fca6487c545fe70191300ad05ea55d3
Instruction Fuzzy Hash: DA115B36616A80C1EF20FB21E4993BA73B0F798788FD0402596CE42A95EF3EC509CB04

Function 00007FF7F73FD588 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7F73FD5F7
WriteFile.KERNEL32 ref: 00007FF7F73FD8AE
WriteFile.KERNEL32 ref: 00007FF7F73FD900
GetLastError.KERNEL32 ref: 00007FF7F73FDA02
GetLastError.KERNEL32 ref: 00007FF7F73FDA62

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: 401fe4669268a13e147bc2a0c3f252077b6128bc5c543b1d41c0b6380ef1694e
Instruction ID: 789d5367c10da489537df1acf092dc8af6436894fc78f55a9ef87408f106e30e
Opcode Fuzzy Hash: 401fe4669268a13e147bc2a0c3f252077b6128bc5c543b1d41c0b6380ef1694e
Instruction Fuzzy Hash: 5BE11326B18A81AAEB04DF64D0541EDBB70FB457D8F90413ADE6E17BD8CE38D416C790

Function 00007FF7F7396BF0 Relevance: 7.6, Strings: 5, Instructions: 1337COMMON

Download Yara Rule

Strings

default, xrefs: 00007FF7F73970DC, 00007FF7F7397206, 00007FF7F7397896, 00007FF7F7397D25
QDateTimeParser::parse Internal error 2, xrefs: 00007FF7F7397214
QDateTimeParser::parse Internal error 3 (%s %s), xrefs: 00007FF7F73978A4
QDateTimeParser::parse Internal error 4 (%s), xrefs: 00007FF7F7397D33
QDateTimeParser::parse Internal error (%s), xrefs: 00007FF7F73970EA

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QDateTimeParser::parse Internal error (%s)$QDateTimeParser::parse Internal error 2$QDateTimeParser::parse Internal error 3 (%s %s)$QDateTimeParser::parse Internal error 4 (%s)$default
API String ID: 0-412086101
Opcode ID: 2f91bf01c8acce56a866329e44f367f359a3cfcc74283a7fccceca5c0ea94de4
Instruction ID: 7882a0200a7ab5d723df586f992175cc6e815f812c57c64cb7a74b2c1af7ca6a
Opcode Fuzzy Hash: 2f91bf01c8acce56a866329e44f367f359a3cfcc74283a7fccceca5c0ea94de4
Instruction Fuzzy Hash: 0AD2E536A086829BEB20EF24D4402EDB772FF85794F904139DA2D576D9DF38E942C790

Function 0000026C9CB83970 Relevance: 7.6, APIs: 5, Instructions: 56processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000026C9CB839B1
Process32FirstW.KERNEL32 ref: 0000026C9CB839D0
Process32NextW.KERNEL32 ref: 0000026C9CB83A10
CloseHandle.KERNEL32 ref: 0000026C9CB83A1D
CloseHandle.KERNEL32 ref: 0000026C9CB83A46

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: 0e6cdfb65babf1bf3c4be1fd3b5a506397d62204a4a8a4036368e1bef1891cbb
Instruction ID: 4203d40e75d78602b3c35b37f5ec7683defdde88e78971de7271a5f6ea5defb8
Opcode Fuzzy Hash: 0e6cdfb65babf1bf3c4be1fd3b5a506397d62204a4a8a4036368e1bef1891cbb
Instruction Fuzzy Hash: 30218131205680C6EB64AB15E48C37AB7F1FB8CB94F948265DADA42794EF3EC548CB00

Function 0000026C9CB84140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000026C9CB8419C
CheckTokenMembership.ADVAPI32 ref: 0000026C9CB841B6
FreeSid.ADVAPI32 ref: 0000026C9CB841C1

Strings

Network, xrefs: 0000026C9CB84140

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID: Network
API String ID: 3429775523-2939797024
Opcode ID: 8ad016942c7da11828b6f5aa434babc68504aae5a5167266cc484b2e2891f1f3
Instruction ID: f3429d07a1d5d3eef64c7c28fbc9bf5305603705acf0ce455173f2da4d0e21d2
Opcode Fuzzy Hash: 8ad016942c7da11828b6f5aa434babc68504aae5a5167266cc484b2e2891f1f3
Instruction Fuzzy Hash: 4611FAB2619B44C7E7209F26F49436BBBB0F788744F60112AE6CA46B68DB3DD149CF00

Function 00007FF7F73FA3D8 Relevance: 6.1, APIs: 4, Instructions: 149timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7F73FA406

Part of subcall function 00007FF7F73F938C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F93A0

_get_daylight.LIBCMT ref: 00007FF7F73FA417

Part of subcall function 00007FF7F73F932C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F9340

_get_daylight.LIBCMT ref: 00007FF7F73FA428

Part of subcall function 00007FF7F73F935C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F9370

Part of subcall function 00007FF7F74010CC: HeapFree.KERNEL32(?,?,?,00007FF7F7407920,?,?,?,00007FF7F7407963,?,?,00000001,00007FF7F7407E28,?,?,?,00007FF7F7407D5B), ref: 00007FF7F74010E2
Part of subcall function 00007FF7F74010CC: GetLastError.KERNEL32(?,?,?,00007FF7F7407920,?,?,?,00007FF7F7407963,?,?,00000001,00007FF7F7407E28,?,?,?,00007FF7F7407D5B), ref: 00007FF7F74010F4

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7F73FA634), ref: 00007FF7F73FA44F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 2b8e42fba298950875784907ae90498541b511e2692174a64a3f91a37cb06da3
Instruction ID: a33cd6fe0aecc081e93af2e0cf94aed167d852453cd763404e8a3d9d95054a82
Opcode Fuzzy Hash: 2b8e42fba298950875784907ae90498541b511e2692174a64a3f91a37cb06da3
Instruction Fuzzy Hash: 7F619D7AA0828296EB14FF25D5815B9E360BF49784FC0413AEABD477D5DF3CE40287A0

Function 0000026C9CBA4288 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Strings

1#INF, xrefs: 0000026C9CBA43EE
1#SNAN, xrefs: 0000026C9CBA4372
1#IND, xrefs: 0000026C9CBA43B7
1#QNAN, xrefs: 0000026C9CBA4425

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 48b426091ca7310074e47ba4353bcb83d81d6977aa3c1439b94c3d96a45d4ada
Instruction ID: c783d35dcf1fa0c429f33cb097b2bc29a5ece109fd13d3990c9ba5887afdcab0
Opcode Fuzzy Hash: 48b426091ca7310074e47ba4353bcb83d81d6977aa3c1439b94c3d96a45d4ada
Instruction Fuzzy Hash: 2B62E077B26290CAF724DFB4C008BBD37F1B754348F60A419DEC567A88EA368915CB64

Function 00007FF7F7402934 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7402998

Strings

gfffffff, xrefs: 00007FF7F7402C49

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 7945e267a0154df2b998390322b850647b738dcd4beeb1d66246e91b04171181
Instruction ID: f541aa184c2fb23bda8774816bbdeeb4db0219400af488af5c12ddd2a9a27015
Opcode Fuzzy Hash: 7945e267a0154df2b998390322b850647b738dcd4beeb1d66246e91b04171181
Instruction Fuzzy Hash: A1914367B083C686EB25DF2994007BAABA4AB55BC4F458036CE6D477C5DE3CE503C760

Function 00007FF7F732B9B0 Relevance: 5.5, Strings: 4, Instructions: 467COMMON

Download Yara Rule

Strings

default, xrefs: 00007FF7F732BDEA, 00007FF7F732BF34, 00007FF7F732C021
QMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p), xrefs: 00007FF7F732C03A
QMetaMethod::invoke: Unable to handle unregistered datatype '%s', xrefs: 00007FF7F732BF47
QMetaMethod::invoke: Unable to invoke methods with return values in queued connections, xrefs: 00007FF7F732BDF5

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QMetaMethod::invoke: Dead lock detected in BlockingQueuedConnection: Receiver is %s(%p)$QMetaMethod::invoke: Unable to handle unregistered datatype '%s'$QMetaMethod::invoke: Unable to invoke methods with return values in queued connections$default
API String ID: 0-3719105355
Opcode ID: 0a1dd0c491e2e491c67967bac0761aa9f640679ed4053f5351dec3832318cb0d
Instruction ID: 4b70d36f2aebd2c741244aa0a2c7b53f9aec540d4cdd185fa52668930e14cb00
Opcode Fuzzy Hash: 0a1dd0c491e2e491c67967bac0761aa9f640679ed4053f5351dec3832318cb0d
Instruction Fuzzy Hash: B522B23AA05B859AEB50DF25D8402ADB7A0FF88B94F904139DEAD47BE8DF38D441C750

Function 00007FF7F7408770 Relevance: 4.8, APIs: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7F74087D6
memcpy_s.LIBCPMT ref: 00007FF7F7408801

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
Instruction ID: b1bd5e039bd6eda3ba5b95f0c7f0036deab981a68efc9d54f45b309b7eaca15b
Opcode Fuzzy Hash: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
Instruction Fuzzy Hash: AAC1F576B1828A87DB24DF19E244A7AF7A5F794785F848134DB5E43784DB3CE812CB80

Function 0000026C9CB48A91 Relevance: 4.2, Strings: 3, Instructions: 444COMMON

Download Yara Rule

Strings

gfff, xrefs: 0000026C9CB48B9F
gfff, xrefs: 0000026C9CB48B6E
, xrefs: 0000026C9CB48C71

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: malloc
String ID: $gfff$gfff
API String ID: 2803490479-4202476792
Opcode ID: 758d396988162ef052379c07bd050d4c25eb1eec0b7406e23305d088414f20ac
Instruction ID: b8cecee3a01372af715f34db698f71af6c3856eac05da8091c77da44e32c93a9
Opcode Fuzzy Hash: 758d396988162ef052379c07bd050d4c25eb1eec0b7406e23305d088414f20ac
Instruction Fuzzy Hash: 37E18270618A48CFEB49EF78D44977D77F2FF59301F204229A84AD7292EB3598428B81

Function 0000026C9CB4C6C1 Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

`, xrefs: 0000026C9CB4C76B
<, xrefs: 0000026C9CB4C756
<, xrefs: 0000026C9CB4C75D

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: <$<$`
API String ID: 0-2220807966
Opcode ID: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction ID: 9663d4defe82fb06473056d96674e6fc940051d97059012cf64383bf675be4df
Opcode Fuzzy Hash: df5c58209d20144fac77f641d0bf13223d1090dc20bdac81c627280d7c07bfee
Instruction Fuzzy Hash: 095163B06196198FEF98DF28D49436537E5FB49700F1581BE9C5ACF29ACF75C8418B80

Function 00007FF7F7403340 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7403376

Part of subcall function 00007FF7F73F787C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7F73F7859), ref: 00007FF7F73F7885
Part of subcall function 00007FF7F73F787C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7F73F7859), ref: 00007FF7F73F78AA

Strings

-, xrefs: 00007FF7F7403568

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 4818ce36b43b8457feceb959f8c110170a1097cd530babca61bdf488c472f1ae
Instruction ID: 1b235e4c938d95745e48895567df2f1a2ca04148f113b444fd3050fa3a18e801
Opcode Fuzzy Hash: 4818ce36b43b8457feceb959f8c110170a1097cd530babca61bdf488c472f1ae
Instruction Fuzzy Hash: FE910336A0878546EB749B25954077AFB91FB85BD0F81423DEAAD47BD8CF3CD4028740

Function 0000026C9CBA3A24 Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA3A87
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA3A92

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 2c31b7c5487f01d281f7e0ea84f95429dd58f40f530a4d6afe04b2f875753eb5
Instruction ID: 39233c8762e98e2a150af145adc951e597a38b588d00845f021ff6fd5dcb6347
Opcode Fuzzy Hash: 2c31b7c5487f01d281f7e0ea84f95429dd58f40f530a4d6afe04b2f875753eb5
Instruction Fuzzy Hash: DB32AE76B16254CAF764AFA5C0487BC37F2A328748FB4501ACEC657AC5D63AC949C700

Function 0000026C9CB425D1 Relevance: 3.6, APIs: 2, Instructions: 568COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB53949: malloc.LIBCMT ref: 0000026C9CB53963

Part of subcall function 0000026C9CB540CD: _errno.LIBCMT ref: 0000026C9CB540EB
Part of subcall function 0000026C9CB540CD: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB540F7

Part of subcall function 0000026C9CB540CD: _errno.LIBCMT ref: 0000026C9CB54139

swprintf.LIBCMT ref: 0000026C9CB42B68

Part of subcall function 0000026C9CB538B9: _vswprintf_s_l.LIBCMT ref: 0000026C9CB538D3

swprintf.LIBCMT ref: 0000026C9CB42BD8

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errnoswprintf$_invalid_parameter_noinfo_vswprintf_s_lmalloc
String ID:
API String ID: 2736340244-0
Opcode ID: 6d0d3b0f645c5a8fb496adac5f8cebacee4c21e0aa47414c173cae9568fb7acf
Instruction ID: 421d7e22435e04f3fec4d4c7382c6e3753a120b1f77bd76c10c5deeead93c3c4
Opcode Fuzzy Hash: 6d0d3b0f645c5a8fb496adac5f8cebacee4c21e0aa47414c173cae9568fb7acf
Instruction Fuzzy Hash: A7226431519A48CBEB25EF64DC896FA77E5FB58301F20462ED48BC3191DB34E645CB82

Function 0000026C9CB5765D Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 0000026C9CB576A2
_set_error_mode.LIBCMT ref: 0000026C9CB576B3

Part of subcall function 0000026C9CB54045: _errno.LIBCMT ref: 0000026C9CB54064
Part of subcall function 0000026C9CB54045: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB54070

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _set_error_mode$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1239817535-0
Opcode ID: 0b0ba07c33e6806856d6d18b595c067dd94e202b36702a5aed12f79ed91a311e
Instruction ID: e1966fbe2d6c0feea5c434ea147be36c4767cf829edc84416c5432dc503704bc
Opcode Fuzzy Hash: 0b0ba07c33e6806856d6d18b595c067dd94e202b36702a5aed12f79ed91a311e
Instruction Fuzzy Hash: 9161E831718948CBE7ACFF29E86937A72E5E798301F20452EE48BC31D6DE35C9058645

Function 00007FF7F740A9D8 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7F740AC27
RaiseException.KERNEL32 ref: 00007FF7F740AC38

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: e37cea3d6c78cc31d989566bfc0951e48ead2e3c7dd949fca7103c317dc8dc40
Instruction ID: cdce13487d45f55509ca9ef06be3983636b3b5dfb58e5ad754ef20bb302e2ec1
Opcode Fuzzy Hash: e37cea3d6c78cc31d989566bfc0951e48ead2e3c7dd949fca7103c317dc8dc40
Instruction Fuzzy Hash: A1B18B77604B848BEB15DF29C88277CB7A0F744B88F558921DB6D837A4CB39D412CB60

Function 00007FF7F7380B00 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF7F7380B8D
FindClose.KERNEL32 ref: 00007FF7F7380B9C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 41e6a5274b1e6dac8f16ab5682416ee48d99485c2ad493626b45c1f81abd2e0c
Instruction ID: c3e95a06ebcc6bcc40247ec1eff8bf491002887e0ffeff5792d0381880f8ff33
Opcode Fuzzy Hash: 41e6a5274b1e6dac8f16ab5682416ee48d99485c2ad493626b45c1f81abd2e0c
Instruction Fuzzy Hash: CC31933AA0869253EB11AB259400379A350BF81BB8F948334EA7D473D5DE3DE80787A1

Function 0000026C9CB90EF0 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0000026C9CB90F64
bind.WS2_32 ref: 0000026C9CB90F98

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: bindhtons
String ID:
API String ID: 791846173-0
Opcode ID: 9171ba2a606171ecc4786a987eabdf1552a5d8aa28dfa7c78a1eb5a2f926cfbb
Instruction ID: c79988fff8cfa01555859b8aaa688cabdabc1db1eaae0ee3b347a4f5fb49d4fa
Opcode Fuzzy Hash: 9171ba2a606171ecc4786a987eabdf1552a5d8aa28dfa7c78a1eb5a2f926cfbb
Instruction Fuzzy Hash: C22130B2605240CBDBA0AB29F184779B3F0F34C794F948126EADA83798D779C9D18B44

Function 0000000140009400 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0000000140009474
bind.WS2_32 ref: 00000001400094A8

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: bindhtons
String ID:
API String ID: 791846173-0
Opcode ID: 6925adac4821d2ed962af63ddee1dd4fd3ce71ae2cc773bd1999aba9ab4df3dd
Instruction ID: bd2a576e2ffe52d7c01e4800f3e05812210ccc8ab2bd70da35787ebc86e8efb7
Opcode Fuzzy Hash: 6925adac4821d2ed962af63ddee1dd4fd3ce71ae2cc773bd1999aba9ab4df3dd
Instruction Fuzzy Hash: C82141F26042508BD7A1DB2AF1807AA73E0F38C794F444126FB89877A8D738C9D1CB04

Function 00007FF7F7330B50 Relevance: 3.0, Strings: 2, Instructions: 540COMMON

Download Yara Rule

Strings

default, xrefs: 00007FF7F7330D26, 00007FF7F7330DD9, 00007FF7F73311E5, 00007FF7F7331250
Qt: Dead lock detected while activating a BlockingQueuedConnection: Sender is %s(%p), receiver is %s(%p), xrefs: 00007FF7F7330E2F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: Qt: Dead lock detected while activating a BlockingQueuedConnection: Sender is %s(%p), receiver is %s(%p)$default
API String ID: 0-188496423
Opcode ID: a95adbecaaaae865c9a6235cf9876b8f58fef2973d9c2cf80c44910392610114
Instruction ID: d48d6392f0405268ff5999fae63e4c64f3fea2d3cf50a766cbe84e809fa29461
Opcode Fuzzy Hash: a95adbecaaaae865c9a6235cf9876b8f58fef2973d9c2cf80c44910392610114
Instruction Fuzzy Hash: 7A32D636B05B8596EBA0EB15E4406A9B3A5FF447A4F840239EE7D477D4CF38E412D390

Function 00007FF7F732FE70 Relevance: 3.0, Strings: 2, Instructions: 524COMMON

Download Yara Rule

Strings

default, xrefs: 00007FF7F732FED9
QObject: shared QObject was deleted directly. The program is malformed and may crash., xrefs: 00007FF7F732FEE4

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QObject: shared QObject was deleted directly. The program is malformed and may crash.$default
API String ID: 0-1590212175
Opcode ID: e5aff6f39530e9404b11ef22b592e89cf7a9c916e3d653303b7a8b4dc03af99d
Instruction ID: cdda689407bca05027c59433f488a704918467a7cb48e1480f6e0b32b64e6ee8
Opcode Fuzzy Hash: e5aff6f39530e9404b11ef22b592e89cf7a9c916e3d653303b7a8b4dc03af99d
Instruction Fuzzy Hash: 9E22F43AA0968593EBA4AB25D140779B3A1FF85BA0F845639DA7D037D0CF3DE442C790

Function 0000026C9CB44D51 Relevance: 2.8, Strings: 2, Instructions: 328COMMON

Download Yara Rule

Strings

h, xrefs: 0000026C9CB44DBC
@, xrefs: 0000026C9CB44FF6

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: @$h
API String ID: 0-1029331998
Opcode ID: 2fe978780a992464d5cc280ba7ad23027c9ff948f24b5252a9945e522b4a1024
Instruction ID: bb1d643b38703e6eabf5d22ffdd2e15f995644c1a8b18e688bbb7422220e181c
Opcode Fuzzy Hash: 2fe978780a992464d5cc280ba7ad23027c9ff948f24b5252a9945e522b4a1024
Instruction Fuzzy Hash: 18B1983051CA488FEB69EF68D8597A977E5FB98305F20452EE48FC3290DF38D5458B82

Function 0000026C9CB493A1 Relevance: 2.7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

Strings

h, xrefs: 0000026C9CB49585
, xrefs: 0000026C9CB49443

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: $h
API String ID: 0-1972213566
Opcode ID: b611456b3bcc38833470a90ab28e03b1449d2f3e91fc85b15cff31219b87bb00
Instruction ID: 726024a7ad6330df981011aa2eca33bf8b3d7edab8da8e0a21d9689f3ea7e84e
Opcode Fuzzy Hash: b611456b3bcc38833470a90ab28e03b1449d2f3e91fc85b15cff31219b87bb00
Instruction Fuzzy Hash: B5716F31519A8CCBEB25FF59C8597FA73B5FB98304F20412AE48AD3191DE39D6058B82

Function 0000026C9CB454E1 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 0000026C9CB4560F
h, xrefs: 0000026C9CB45555

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: @$h
API String ID: 0-1029331998
Opcode ID: 171764235454b9f9713eebf5721cb306266bc98bd4d40bab5b9d69e11f9a6c74
Instruction ID: 4898d1283af816bf77c5d2f9406b453d789162c881fbbe55d435b0f292476534
Opcode Fuzzy Hash: 171764235454b9f9713eebf5721cb306266bc98bd4d40bab5b9d69e11f9a6c74
Instruction Fuzzy Hash: 37519E7051CB88CFEB64EF58D8497EAB7E5FB98305F10452EA48AC3290DB79D505CB82

Function 0000026C9CB8F650 Relevance: 1.8, Strings: 1, Instructions: 585COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 0000026C9CB8FCB5, 0000026C9CB8FE1F

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: f7cae8bca4d91966f46de86ca1ffd11b4dd1f0efa15ac6301475bef029487ce5
Instruction ID: e33129bf6711ca6124daf0ac3bad5939803ad97d7143a341e13e8269404430f2
Opcode Fuzzy Hash: f7cae8bca4d91966f46de86ca1ffd11b4dd1f0efa15ac6301475bef029487ce5
Instruction Fuzzy Hash: FA42793320A2C4CBC369DF28E4443AE7BA0F365B48F54816ADBC587B46D779E954CB60

Function 00007FF7F733B240 Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

qt., xrefs: 00007FF7F733B33B

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: qt.
API String ID: 0-1039624776
Opcode ID: 02817b13b5f54e953de6f2b544777969141c6c08e9bdaa88296a4eb03950aaa7
Instruction ID: 15f8269137688c86cd31b2727ce1e80057b1613b29b67f6a05599a0c9bd58f83
Opcode Fuzzy Hash: 02817b13b5f54e953de6f2b544777969141c6c08e9bdaa88296a4eb03950aaa7
Instruction Fuzzy Hash: 3EE1077AB082D2A7FBB0AA25844067CA791EF41754F844139DEAD876C4CE3CE842D7A1

Function 0000026C9CB88A4E Relevance: 1.5, APIs: 1, Instructions: 19shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB856A0: GetCurrentProcess.KERNEL32 ref: 0000026C9CB856B7
Part of subcall function 0000026C9CB856A0: OpenProcessToken.ADVAPI32 ref: 0000026C9CB856CA
Part of subcall function 0000026C9CB856A0: LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB856F5
Part of subcall function 0000026C9CB856A0: AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB85718
Part of subcall function 0000026C9CB856A0: GetLastError.KERNEL32 ref: 0000026C9CB8571E
Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB8572D

ExitWindowsEx.USER32 ref: 0000026C9CB88A5D

Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB85748

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: e6a5fa4d446211fe06beb4dab869005ee2c12317f8f14c7869f8b8567d4f9dba
Instruction ID: f8000b28ae788ac5dbedeb9f41837e3b453413e944905a3f33a48f6b31f27ea9
Opcode Fuzzy Hash: e6a5fa4d446211fe06beb4dab869005ee2c12317f8f14c7869f8b8567d4f9dba
Instruction Fuzzy Hash: ACE048766055C0C7F776BB21E09A3FD7375F788B54F9400265A8E065868D2AC285C600

Function 0000026C9CB88A2D Relevance: 1.5, APIs: 1, Instructions: 19shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB856A0: GetCurrentProcess.KERNEL32 ref: 0000026C9CB856B7
Part of subcall function 0000026C9CB856A0: OpenProcessToken.ADVAPI32 ref: 0000026C9CB856CA
Part of subcall function 0000026C9CB856A0: LookupPrivilegeValueW.ADVAPI32 ref: 0000026C9CB856F5
Part of subcall function 0000026C9CB856A0: AdjustTokenPrivileges.ADVAPI32 ref: 0000026C9CB85718
Part of subcall function 0000026C9CB856A0: GetLastError.KERNEL32 ref: 0000026C9CB8571E
Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB8572D

ExitWindowsEx.USER32 ref: 0000026C9CB88A3C

Part of subcall function 0000026C9CB856A0: CloseHandle.KERNEL32 ref: 0000026C9CB85748

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID:
API String ID: 681424410-0
Opcode ID: 0177cb3e1cdb11d46ee6c13810d57ab7c6ed36ee73c6af6f37b08cae63a0b0c8
Instruction ID: 0032c09460871648b4a3ca5347205e9e4095607130739c1f1c3edc47b3a16792
Opcode Fuzzy Hash: 0177cb3e1cdb11d46ee6c13810d57ab7c6ed36ee73c6af6f37b08cae63a0b0c8
Instruction Fuzzy Hash: 86E048766055C0C7F776FB61E09A3FD7375F788B54FD400165A8E065868D3AC285C600

Function 00007FF7F7368500 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

WriteOnly device, xrefs: 00007FF7F7368507

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: WriteOnly device
API String ID: 0-1802527306
Opcode ID: 4a57033495bddb99051febc7f191ded91fe92d2e0222cebf793c46ac7e716f0a
Instruction ID: 16269f2cd98a68b490dac83f0cc9157442b749f504d12d9a53d287d84bb6c4c4
Opcode Fuzzy Hash: 4a57033495bddb99051febc7f191ded91fe92d2e0222cebf793c46ac7e716f0a
Instruction Fuzzy Hash: 0C81466BB286D09BE714DB64C840AFE7670FF08B48F854039EF69877C4DA289616C760

Function 00007FF7F73F5BE4 Relevance: 1.5, Strings: 1, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF7F73F5D7D

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: c1934f50d4c005c5c6b6a34040f2f2f02356029904a6b0e8a89a5b866e439fbd
Instruction ID: 868385cff2d941b0c4a232835ca121102eaaacd3b33c15cc80397ed2b22e0c00
Opcode Fuzzy Hash: c1934f50d4c005c5c6b6a34040f2f2f02356029904a6b0e8a89a5b866e439fbd
Instruction Fuzzy Hash: 4571A61AA0C6C667EF6C6A1990043F9E791AF417C4FD4013ADDBA076D9CE2DE84387B1

Function 0000026C9CB4B8A1 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

<, xrefs: 0000026C9CB4BA17

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e47fd5fbee84351a533ef5d5c3845aba2d1ac3dcc413a039a609c7d872dfff1b
Instruction ID: 6cdcc9a76227431a4d795fbd5258fe121668b628942345ee5b00695287f64362
Opcode Fuzzy Hash: e47fd5fbee84351a533ef5d5c3845aba2d1ac3dcc413a039a609c7d872dfff1b
Instruction Fuzzy Hash: 7D514130208A08CFF754EF28D859B6A77F5FB99304F50452DE54AC32A1DB39D946CB42

Function 0000026C9CB4F121 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26e77949d60ab34aa2646b0a25bc0193e1ff5bac38168d8d5f289d12d4320e6
Instruction ID: 1a6582b55b023f5b11bb40117bc9a0b4fce10e41b2ee92438bceecba0701157b
Opcode Fuzzy Hash: a26e77949d60ab34aa2646b0a25bc0193e1ff5bac38168d8d5f289d12d4320e6
Instruction Fuzzy Hash: 90527C30619785CFD729DF2CC4856A9BBE0FB69300F54856ED8CACB742D634E846CB92

Function 0000026C9CB862F0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f266c445950e1297430ac87a0a67c37b17f20ecc0e40b636969d92f470b947e8
Instruction ID: ac85e8c6c91afa2c82385ef1976d75cdd8d4611370bbde73a249661ad7e87830
Opcode Fuzzy Hash: f266c445950e1297430ac87a0a67c37b17f20ecc0e40b636969d92f470b947e8
Instruction Fuzzy Hash: 7622C577B785504BD71CCB19E892FA977A2F394308709A52CEA17D3F44DA3DEA06CA00

Function 00007FF7F7350970 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b618b6dd7e769c3153b16458297dc523fa2e891019ddc6d672f21eeebca888b
Instruction ID: ca0dd0d54c68b16e46df82ec91c4448a82e97292d1558e22ca457ed25f107bf5
Opcode Fuzzy Hash: 8b618b6dd7e769c3153b16458297dc523fa2e891019ddc6d672f21eeebca888b
Instruction Fuzzy Hash: 9402A077B04982A6EB10EB38C4802FCA7A1EF44758BD84636CA2D976D5DF25E947C390

Function 0000026C9CB4AF51 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$malloc
String ID:
API String ID: 610097836-0
Opcode ID: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction ID: 1ed1866ccbebb95ea90f14841e64c5ed7422ccfc367e98ab4b178f506c329d5d
Opcode Fuzzy Hash: e24b6ed1d8ea57e9a4e8ffa4945a5f3e950eb114645b7d582015a0678ead6225
Instruction Fuzzy Hash: 90E1A170518A48CFF769EF14D8597BA37F1FB48301F60452AE586C32E1DB399946CB82

Function 00007FF7F7350050 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f3db23d335aabe829bdd43622417786b09a7f35892de39b79545b5ac86ba9a
Instruction ID: edd8ef5bea0c556a02e52ff5e38f695b1f38724982bc1ce9622a308dc953f137
Opcode Fuzzy Hash: e7f3db23d335aabe829bdd43622417786b09a7f35892de39b79545b5ac86ba9a
Instruction Fuzzy Hash: 58E1F37AB086829BE7149F74D45027CBBA1AF84754FC48139DE2E977D4DE39E802CB90

Function 0000026C9CB43531 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a15f2423462a5abbdb9c6da5a9c4fcc013eb56b701b34c872b6b0bf0065a190
Instruction ID: 86a195b7e4fa481f4f272cb1fa6758afe8f48f13568980ff05cd26a04bd3cf1c
Opcode Fuzzy Hash: 7a15f2423462a5abbdb9c6da5a9c4fcc013eb56b701b34c872b6b0bf0065a190
Instruction Fuzzy Hash: 7BA1A67051CA48CFEB58EF18D8856B9B7F1FB98301F20426EE48AD71A5DB35D906CB81

Function 0000026C9CB40FC1 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3845032702664346093a983adc84234d0f38439fe42eeb9723b335d03598f4d2
Instruction ID: 6f2f006b86d1f9eb0deba097518f45e6ff6337902c15431117139df1e11c1e21
Opcode Fuzzy Hash: 3845032702664346093a983adc84234d0f38439fe42eeb9723b335d03598f4d2
Instruction Fuzzy Hash: 42715E7061CB48CFD768EF28D44976AB7E1FB89710F10492EE49EC3251DB35E8468B82

Function 0000026C9CBA5378 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 52cef456fdbf6cdccf25a4cbe79914841aae757aa9245bd1b8f2ed0f8c6f4637
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 4A51D072B166A1CBE7588F18E008F7C3AE9F794382F61D039DA9297F44DA76CD548B00

Function 000000014001BFE8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction ID: 53659f113055ede85aaf2fc74df7715867b2c9a905a4beaaa91a52d4308609d6
Opcode Fuzzy Hash: 5e1e48596fdf5ea50ef3df4a9aab293c2a7286e8955242186005ffd8a8896482
Instruction Fuzzy Hash: 3551E577B252A18BE75A8F19E404FAC3AA5F398385F51D039EB129BF51D676CC50CB00

Function 00007FF7F73461B0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6496731fa74dfd9424f69598ecc8c71401180258f910eac2dd5601b098a0783
Instruction ID: 9b6c778e573336f9bafeb18e4adddb3794519f3f94127f40b72b2e3b558e9acb
Opcode Fuzzy Hash: f6496731fa74dfd9424f69598ecc8c71401180258f910eac2dd5601b098a0783
Instruction Fuzzy Hash: 91512A12F1C1E9AFF7159EBD1C0059C6F219B71248F84416DDE9897F8BC928EA07C791

Function 00007FF7F73333A0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a8174c90d8608e81318d94b2c031deb892454abe5a591ccbc75316d7478f5c
Instruction ID: e44bc40a5cfeb26f180c872285166bf00eaff567d6f7d984be60ac294865146b
Opcode Fuzzy Hash: f8a8174c90d8608e81318d94b2c031deb892454abe5a591ccbc75316d7478f5c
Instruction Fuzzy Hash: 5C51E36AA0869553FBB5AB259400679A790FF04F98F94813EDE6D077D4CF3CE842D390

Function 00007FF7F7400ACC Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 80371e6dac681631be04dcf261c6f98bc6bea27ba4b5753d1749bcb0e5166604
Instruction ID: 69042441729d6784eaedfa2a9030abd9c0ff8ec7b12a45954e709d338b26921c
Opcode Fuzzy Hash: 80371e6dac681631be04dcf261c6f98bc6bea27ba4b5753d1749bcb0e5166604
Instruction Fuzzy Hash: 2641F626714A9982EF08DF6AD954179B3A1F748FD4F899032DE1D97BA8DF3CC0428380

Function 0000026C9CBA8270 Relevance: .0, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c379b1aee352c79a0ecec65525e13c06bad3dfb5bf851640375506568d2c6066
Instruction ID: 042b8d9f4528da8e5c071133901a2e87bd788c9d1e4ac96ca6996b84fc2b8a88
Opcode Fuzzy Hash: c379b1aee352c79a0ecec65525e13c06bad3dfb5bf851640375506568d2c6066
Instruction Fuzzy Hash: 36E01A97A9FFC4EBE762A5504C7E6383EE2ABB2B04B5C004B8BC002683F9574C148201

Function 0000026C9CB60D51 Relevance: 107.8, APIs: 86, Instructions: 270COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB60D66

Part of subcall function 0000026C9CB54169: _errno.LIBCMT ref: 0000026C9CB54189

free.LIBCMT ref: 0000026C9CB60D6F
free.LIBCMT ref: 0000026C9CB60D78
free.LIBCMT ref: 0000026C9CB60D81
free.LIBCMT ref: 0000026C9CB60D8A
free.LIBCMT ref: 0000026C9CB60D93
free.LIBCMT ref: 0000026C9CB60D9B
free.LIBCMT ref: 0000026C9CB60DA4
free.LIBCMT ref: 0000026C9CB60DAD
free.LIBCMT ref: 0000026C9CB60DB6
free.LIBCMT ref: 0000026C9CB60DBF
free.LIBCMT ref: 0000026C9CB60DC8
free.LIBCMT ref: 0000026C9CB60DD1
free.LIBCMT ref: 0000026C9CB60DDA
free.LIBCMT ref: 0000026C9CB60DE3
free.LIBCMT ref: 0000026C9CB60DEC
free.LIBCMT ref: 0000026C9CB60DF8
free.LIBCMT ref: 0000026C9CB60E04
free.LIBCMT ref: 0000026C9CB60E10
free.LIBCMT ref: 0000026C9CB60E1C
free.LIBCMT ref: 0000026C9CB60E28
free.LIBCMT ref: 0000026C9CB60E34
free.LIBCMT ref: 0000026C9CB60E40
free.LIBCMT ref: 0000026C9CB60E4C
free.LIBCMT ref: 0000026C9CB60E58
free.LIBCMT ref: 0000026C9CB60E64
free.LIBCMT ref: 0000026C9CB60E70
free.LIBCMT ref: 0000026C9CB60E7C
free.LIBCMT ref: 0000026C9CB60E88
free.LIBCMT ref: 0000026C9CB60E94
free.LIBCMT ref: 0000026C9CB60EA0
free.LIBCMT ref: 0000026C9CB60EAC
free.LIBCMT ref: 0000026C9CB60EB8
free.LIBCMT ref: 0000026C9CB60EC4
free.LIBCMT ref: 0000026C9CB60ED0
free.LIBCMT ref: 0000026C9CB60EDC
free.LIBCMT ref: 0000026C9CB60EE8
free.LIBCMT ref: 0000026C9CB60EF4
free.LIBCMT ref: 0000026C9CB60F00
free.LIBCMT ref: 0000026C9CB60F0C
free.LIBCMT ref: 0000026C9CB60F18
free.LIBCMT ref: 0000026C9CB60F24
free.LIBCMT ref: 0000026C9CB60F30
free.LIBCMT ref: 0000026C9CB60F3C
free.LIBCMT ref: 0000026C9CB60F48
free.LIBCMT ref: 0000026C9CB60F54
free.LIBCMT ref: 0000026C9CB60F60
free.LIBCMT ref: 0000026C9CB60F6C
free.LIBCMT ref: 0000026C9CB60F78
free.LIBCMT ref: 0000026C9CB60F84
free.LIBCMT ref: 0000026C9CB60F90
free.LIBCMT ref: 0000026C9CB60F9C
free.LIBCMT ref: 0000026C9CB60FA8
free.LIBCMT ref: 0000026C9CB60FB4
free.LIBCMT ref: 0000026C9CB60FC0
free.LIBCMT ref: 0000026C9CB60FCC
free.LIBCMT ref: 0000026C9CB60FD8
free.LIBCMT ref: 0000026C9CB60FE4
free.LIBCMT ref: 0000026C9CB60FF0
free.LIBCMT ref: 0000026C9CB60FFC
free.LIBCMT ref: 0000026C9CB61008
free.LIBCMT ref: 0000026C9CB61014
free.LIBCMT ref: 0000026C9CB61020
free.LIBCMT ref: 0000026C9CB6102C
free.LIBCMT ref: 0000026C9CB61038
free.LIBCMT ref: 0000026C9CB61044
free.LIBCMT ref: 0000026C9CB61050
free.LIBCMT ref: 0000026C9CB6105C
free.LIBCMT ref: 0000026C9CB61068
free.LIBCMT ref: 0000026C9CB61074
free.LIBCMT ref: 0000026C9CB61080
free.LIBCMT ref: 0000026C9CB6108C
free.LIBCMT ref: 0000026C9CB61098
free.LIBCMT ref: 0000026C9CB610A4
free.LIBCMT ref: 0000026C9CB610B0
free.LIBCMT ref: 0000026C9CB610BC
free.LIBCMT ref: 0000026C9CB610C8
free.LIBCMT ref: 0000026C9CB610D4
free.LIBCMT ref: 0000026C9CB610E0
free.LIBCMT ref: 0000026C9CB610EC
free.LIBCMT ref: 0000026C9CB610F8
free.LIBCMT ref: 0000026C9CB61104
free.LIBCMT ref: 0000026C9CB61110
free.LIBCMT ref: 0000026C9CB6111C
free.LIBCMT ref: 0000026C9CB61128
free.LIBCMT ref: 0000026C9CB61134

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction ID: 51af694ee541781cef785b072861296096f3347a830badfe73c31341e53d87d1
Opcode Fuzzy Hash: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction Fuzzy Hash: F2B164301B6548CBE789FB24C5D97F93761BB98300F944175988E8E5A7CE12DC46DBA0

Function 0000026C9CBA1280 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CBA1295

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

free.LIBCMT ref: 0000026C9CBA129E
free.LIBCMT ref: 0000026C9CBA12A7
free.LIBCMT ref: 0000026C9CBA12B0
free.LIBCMT ref: 0000026C9CBA12B9
free.LIBCMT ref: 0000026C9CBA12C2
free.LIBCMT ref: 0000026C9CBA12CA
free.LIBCMT ref: 0000026C9CBA12D3
free.LIBCMT ref: 0000026C9CBA12DC
free.LIBCMT ref: 0000026C9CBA12E5
free.LIBCMT ref: 0000026C9CBA12EE
free.LIBCMT ref: 0000026C9CBA12F7
free.LIBCMT ref: 0000026C9CBA1300
free.LIBCMT ref: 0000026C9CBA1309
free.LIBCMT ref: 0000026C9CBA1312
free.LIBCMT ref: 0000026C9CBA131B
free.LIBCMT ref: 0000026C9CBA1327
free.LIBCMT ref: 0000026C9CBA1333
free.LIBCMT ref: 0000026C9CBA133F
free.LIBCMT ref: 0000026C9CBA134B
free.LIBCMT ref: 0000026C9CBA1357
free.LIBCMT ref: 0000026C9CBA1363
free.LIBCMT ref: 0000026C9CBA136F
free.LIBCMT ref: 0000026C9CBA137B
free.LIBCMT ref: 0000026C9CBA1387
free.LIBCMT ref: 0000026C9CBA1393
free.LIBCMT ref: 0000026C9CBA139F
free.LIBCMT ref: 0000026C9CBA13AB
free.LIBCMT ref: 0000026C9CBA13B7
free.LIBCMT ref: 0000026C9CBA13C3
free.LIBCMT ref: 0000026C9CBA13CF
free.LIBCMT ref: 0000026C9CBA13DB
free.LIBCMT ref: 0000026C9CBA13E7
free.LIBCMT ref: 0000026C9CBA13F3
free.LIBCMT ref: 0000026C9CBA13FF
free.LIBCMT ref: 0000026C9CBA140B
free.LIBCMT ref: 0000026C9CBA1417
free.LIBCMT ref: 0000026C9CBA1423
free.LIBCMT ref: 0000026C9CBA142F
free.LIBCMT ref: 0000026C9CBA143B
free.LIBCMT ref: 0000026C9CBA1447
free.LIBCMT ref: 0000026C9CBA1453
free.LIBCMT ref: 0000026C9CBA145F
free.LIBCMT ref: 0000026C9CBA146B
free.LIBCMT ref: 0000026C9CBA1477
free.LIBCMT ref: 0000026C9CBA1483
free.LIBCMT ref: 0000026C9CBA148F
free.LIBCMT ref: 0000026C9CBA149B
free.LIBCMT ref: 0000026C9CBA14A7
free.LIBCMT ref: 0000026C9CBA14B3
free.LIBCMT ref: 0000026C9CBA14BF
free.LIBCMT ref: 0000026C9CBA14CB
free.LIBCMT ref: 0000026C9CBA14D7
free.LIBCMT ref: 0000026C9CBA14E3
free.LIBCMT ref: 0000026C9CBA14EF
free.LIBCMT ref: 0000026C9CBA14FB
free.LIBCMT ref: 0000026C9CBA1507
free.LIBCMT ref: 0000026C9CBA1513
free.LIBCMT ref: 0000026C9CBA151F
free.LIBCMT ref: 0000026C9CBA152B
free.LIBCMT ref: 0000026C9CBA1537
free.LIBCMT ref: 0000026C9CBA1543
free.LIBCMT ref: 0000026C9CBA154F
free.LIBCMT ref: 0000026C9CBA155B
free.LIBCMT ref: 0000026C9CBA1567
free.LIBCMT ref: 0000026C9CBA1573
free.LIBCMT ref: 0000026C9CBA157F
free.LIBCMT ref: 0000026C9CBA158B
free.LIBCMT ref: 0000026C9CBA1597
free.LIBCMT ref: 0000026C9CBA15A3
free.LIBCMT ref: 0000026C9CBA15AF
free.LIBCMT ref: 0000026C9CBA15BB
free.LIBCMT ref: 0000026C9CBA15C7
free.LIBCMT ref: 0000026C9CBA15D3
free.LIBCMT ref: 0000026C9CBA15DF
free.LIBCMT ref: 0000026C9CBA15EB
free.LIBCMT ref: 0000026C9CBA15F7
free.LIBCMT ref: 0000026C9CBA1603
free.LIBCMT ref: 0000026C9CBA160F
free.LIBCMT ref: 0000026C9CBA161B
free.LIBCMT ref: 0000026C9CBA1627
free.LIBCMT ref: 0000026C9CBA1633
free.LIBCMT ref: 0000026C9CBA163F
free.LIBCMT ref: 0000026C9CBA164B
free.LIBCMT ref: 0000026C9CBA1657
free.LIBCMT ref: 0000026C9CBA1663

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction ID: c70c0605558f7821de2eb2cc936f85d9a3632fb079bc8d85636882b79c265ea7
Opcode Fuzzy Hash: 2e4d513bdbcfd8bd2ec7bcf5c7b34eda39d1d1b6ccbe2ef803f71952144ddf35
Instruction Fuzzy Hash: 41A15472223544C9EB45BB31C8993FC3331ABC6F48F954572EA8D6B5A7CEA2C8458760

Function 00007FF7F7382530 Relevance: 43.9, APIs: 15, Strings: 10, Instructions: 166libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7F73825D0
GetProcAddress.KERNEL32 ref: 00007FF7F73825E7
GetProcAddress.KERNEL32 ref: 00007FF7F73825FE
GetProcAddress.KERNEL32 ref: 00007FF7F7382615
GetCurrentProcess.KERNEL32 ref: 00007FF7F7382630
OpenProcessToken.ADVAPI32 ref: 00007FF7F738265C
GetTokenInformation.ADVAPI32 ref: 00007FF7F7382688
GetTokenInformation.ADVAPI32 ref: 00007FF7F73826BC
GetLengthSid.ADVAPI32 ref: 00007FF7F73826CC
CopySid.ADVAPI32 ref: 00007FF7F73826EA
CloseHandle.KERNEL32 ref: 00007FF7F7382715
GetProcAddress.KERNEL32 ref: 00007FF7F7382725
GetProcAddress.KERNEL32 ref: 00007FF7F73827AA
LoadLibraryW.KERNEL32 ref: 00007FF7F73827BE
GetProcAddress.KERNEL32 ref: 00007FF7F73827D3

Strings

userenv, xrefs: 00007FF7F738278F
GetEffectiveRightsFromAclW, xrefs: 00007FF7F738260B
BuildTrusteeWithSidW, xrefs: 00007FF7F73825F4
GetNamedSecurityInfoW, xrefs: 00007FF7F73825C6
advapi32, xrefs: 00007FF7F73825B2
GetVolumePathNamesForVolumeNameW, xrefs: 00007FF7F73827C9
GetUserProfileDirectoryW, xrefs: 00007FF7F73827A0
AllocateAndInitializeSid, xrefs: 00007FF7F738271B
kernel32, xrefs: 00007FF7F73827B7
LookupAccountSidW, xrefs: 00007FF7F73825DD

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Token$InformationProcess$CloseCopyCurrentHandleLengthLibraryLoadOpen
String ID: AllocateAndInitializeSid$BuildTrusteeWithSidW$GetEffectiveRightsFromAclW$GetNamedSecurityInfoW$GetUserProfileDirectoryW$GetVolumePathNamesForVolumeNameW$LookupAccountSidW$advapi32$kernel32$userenv
API String ID: 2696503892-3103641746
Opcode ID: 119ff1c74d3851af8e6b534a9a4d689b4cea124b3013ada68ca1587a54ffe470
Instruction ID: 2445ed76768675da6a13a4328abbadb509abbbf26a8aabcdf96aaa7fbaed0939
Opcode Fuzzy Hash: 119ff1c74d3851af8e6b534a9a4d689b4cea124b3013ada68ca1587a54ffe470
Instruction Fuzzy Hash: 92815E39A08B8296FB10FB19E854279A3A5FF44B90F940138D96D437E5DF7CE446C7A0

Function 0000026C9CBA091C Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000026C9CBA0961
GetProcAddress.KERNEL32 ref: 0000026C9CBA097D
EncodePointer.KERNEL32 ref: 0000026C9CBA098F
GetProcAddress.KERNEL32 ref: 0000026C9CBA09A6
EncodePointer.KERNEL32 ref: 0000026C9CBA09AF
GetProcAddress.KERNEL32 ref: 0000026C9CBA09C6
EncodePointer.KERNEL32 ref: 0000026C9CBA09CF
GetProcAddress.KERNEL32 ref: 0000026C9CBA09E6
EncodePointer.KERNEL32 ref: 0000026C9CBA09EF
GetProcAddress.KERNEL32 ref: 0000026C9CBA0A0E
EncodePointer.KERNEL32 ref: 0000026C9CBA0A17
DecodePointer.KERNEL32 ref: 0000026C9CBA0A4A
DecodePointer.KERNEL32 ref: 0000026C9CBA0A5A
DecodePointer.KERNEL32 ref: 0000026C9CBA0AB0
DecodePointer.KERNEL32 ref: 0000026C9CBA0AD1
DecodePointer.KERNEL32 ref: 0000026C9CBA0AEB

Strings

USER32.DLL, xrefs: 0000026C9CBA095A
GetActiveWindow, xrefs: 0000026C9CBA0995
GetUserObjectInformationW, xrefs: 0000026C9CBA09D5
MessageBoxW, xrefs: 0000026C9CBA0973
GetProcessWindowStation, xrefs: 0000026C9CBA0A04
GetLastActivePopup, xrefs: 0000026C9CBA09B5

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 7acbe540bc04eb17a634a09565014fbe7794e89a6f31f33c4fabbf1735c0f02e
Instruction ID: c57f1bbe0956c3347ed82e1e0e72a9f77042431a3cd35fd877d795c176fda48c
Opcode Fuzzy Hash: 7acbe540bc04eb17a634a09565014fbe7794e89a6f31f33c4fabbf1735c0f02e
Instruction Fuzzy Hash: 8751B534603B15C5EF59BB51F86C73937F0AB59B94FA401269CDE477A0EE3AC8458210

Function 0000026C9CB89460 Relevance: 33.2, APIs: 22, Instructions: 191memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0000026C9CB894AA
GlobalLock.KERNEL32 ref: 0000026C9CB894B6
GlobalUnlock.KERNEL32 ref: 0000026C9CB894CD
CreateStreamOnHGlobal.OLE32 ref: 0000026C9CB894E2
EnterCriticalSection.KERNEL32 ref: 0000026C9CB8952B
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB8953E
GdipCreateBitmapFromStream.GDIPLUS ref: 0000026C9CB8956E
GdipDisposeImage.GDIPLUS ref: 0000026C9CB89585
GdipDisposeImage.GDIPLUS ref: 0000026C9CB895A3
CreateStreamOnHGlobal.OLE32 ref: 0000026C9CB895C2
GetHGlobalFromStream.OLE32 ref: 0000026C9CB895ED
GlobalLock.KERNEL32 ref: 0000026C9CB895F8
GlobalFree.KERNEL32 ref: 0000026C9CB89613
DeleteObject.GDI32 ref: 0000026C9CB896EB
EnterCriticalSection.KERNEL32 ref: 0000026C9CB896F8
EnterCriticalSection.KERNEL32 ref: 0000026C9CB8970D
GdiplusShutdown.GDIPLUS ref: 0000026C9CB8971F
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB89733
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB89740
GlobalFree.KERNEL32 ref: 0000026C9CB89749

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$DisposeFreeFromImageLock$AllocBitmapDeleteGdiplusObjectShutdownUnlock
String ID:
API String ID: 562715702-0
Opcode ID: cdc0204bc30cf34552371714a5366ee355cd303610cee03585cb9d2d35280443
Instruction ID: 2bfd4a6de74d41678abb90abc1e0ca2ed3b4c4d385c588852daac8f8a26bdecd
Opcode Fuzzy Hash: cdc0204bc30cf34552371714a5366ee355cd303610cee03585cb9d2d35280443
Instruction Fuzzy Hash: 8C912B32706B40C6EB14EB61E8982BD33B1F748B98F600525DE9E57BA9DF3AC459C340

Function 0000026C9CBA5594 Relevance: 32.0, APIs: 21, Instructions: 481COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CBA55C5
_errno.LIBCMT ref: 0000026C9CBA55CE
__doserrno.LIBCMT ref: 0000026C9CBA5628
_errno.LIBCMT ref: 0000026C9CBA562F
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA5C9E

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 54416721b11f383574e6eb75bbea4055506d4160d704af51a6d319baa15b6c74
Instruction ID: 83648f5720a60aed95f28547ef3144f2ec583288f922a639ead2ef5b042cdbbf
Opcode Fuzzy Hash: 54416721b11f383574e6eb75bbea4055506d4160d704af51a6d319baa15b6c74
Instruction Fuzzy Hash: F2220332216B84C6E752BF64D4883BC3BF1B751BA8FB48106CADA077D6E676C649D301

Function 0000026C9CB9BB98 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 334COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB95850: RtlLookupFunctionEntry.KERNEL32 ref: 0000026C9CB958C4

__GetUnwindTryBlock.LIBCMT ref: 0000026C9CB9BBFC
__SetUnwindTryBlock.LIBCMT ref: 0000026C9CB9BC23

Part of subcall function 0000026C9CB9568C: RaiseException.KERNEL32 ref: 0000026C9CB95707

__GetUnwindTryBlock.LIBCMT ref: 0000026C9CB9BC2D
_getptd.LIBCMT ref: 0000026C9CB9BC83
_getptd.LIBCMT ref: 0000026C9CB9BC96
_getptd.LIBCMT ref: 0000026C9CB9BCA2
_SetThrowImageBase.LIBCMT ref: 0000026C9CB9BCB6
_getptd.LIBCMT ref: 0000026C9CB9BD06
_getptd.LIBCMT ref: 0000026C9CB9BD19
_getptd.LIBCMT ref: 0000026C9CB9BD25
type_info::operator==.LIBCMT ref: 0000026C9CB9BD8C
std::exception::exception.LIBCMT ref: 0000026C9CB9BDC5
_getptd.LIBCMT ref: 0000026C9CB9BFF8
std::exception::exception.LIBCMT ref: 0000026C9CB9C071

Strings

bad exception, xrefs: 0000026C9CB9BDB2
csm, xrefs: 0000026C9CB9BCD1
csm, xrefs: 0000026C9CB9BC43
csm, xrefs: 0000026C9CB9BDEA

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseEntryExceptionFunctionImageLookupRaiseThrowtype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 1639654010-820278400
Opcode ID: ee4cf200c058bec5ed6b23d82509feab73e8c37503a7504ed1a0638e07e7d0de
Instruction ID: 31541b96e2653494871a14b3f2ec29f51f2ad6a1b3fc548faab9757a94e7c634
Opcode Fuzzy Hash: ee4cf200c058bec5ed6b23d82509feab73e8c37503a7504ed1a0638e07e7d0de
Instruction Fuzzy Hash: 39E1A932602A40CAEB64BB65D0A83BD37B0FB45B8CF644225EE8A07BD6DB36C455C751

Function 0000026C9CB84570 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000026C9CB845A9

Part of subcall function 0000026C9CB84390: GetCurrentProcessId.KERNEL32 ref: 0000026C9CB843AD
Part of subcall function 0000026C9CB84390: OpenProcess.KERNEL32 ref: 0000026C9CB843BD
Part of subcall function 0000026C9CB84390: OpenProcessToken.ADVAPI32 ref: 0000026C9CB843E5
Part of subcall function 0000026C9CB84390: CloseHandle.KERNEL32 ref: 0000026C9CB843F2

GetVersionExW.KERNEL32 ref: 0000026C9CB845DB
GetCurrentProcess.KERNEL32 ref: 0000026C9CB84604
OpenProcessToken.ADVAPI32 ref: 0000026C9CB84615
GetTokenInformation.ADVAPI32 ref: 0000026C9CB8463F
GetLastError.KERNEL32 ref: 0000026C9CB84649
LocalAlloc.KERNEL32 ref: 0000026C9CB84663
GetTokenInformation.ADVAPI32 ref: 0000026C9CB8468B
GetSidSubAuthorityCount.ADVAPI32 ref: 0000026C9CB84698
GetSidSubAuthority.ADVAPI32 ref: 0000026C9CB846A6
LocalFree.KERNEL32 ref: 0000026C9CB846B1
CloseHandle.KERNEL32 ref: 0000026C9CB846C4
wsprintfW.USER32 ref: 0000026C9CB84722

Strings

%d/, xrefs: 0000026C9CB84709
%d/, xrefs: 0000026C9CB846F7
%d/, xrefs: 0000026C9CB84700
%d/None/%s, xrefs: 0000026C9CB84712
%d/, xrefs: 0000026C9CB846EE

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocal$AllocCountErrorFreeLastVersionwsprintf
String ID: %d/$%d/$%d/$%d/$%d/None/%s
API String ID: 407931619-3175268128
Opcode ID: 66a97c90580ce347094714e55ca43378ea6e37b53cdfd1314d87ae6dfdcbb0e2
Instruction ID: ef43c0247dfbb59be76cf368c3091fdee64ecaeddd81c08156ebae85e6354a1f
Opcode Fuzzy Hash: 66a97c90580ce347094714e55ca43378ea6e37b53cdfd1314d87ae6dfdcbb0e2
Instruction Fuzzy Hash: A9515135216B40D6EB64AF11E49877A73B4F796B84FA40065EACA03A54DF3BC545CF10

Function 0000026C9CB5B669 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493COMMONLIBRARYCODE

Download Yara Rule

APIs

__GetUnwindTryBlock.LIBCMT ref: 0000026C9CB5B6CD
__SetUnwindTryBlock.LIBCMT ref: 0000026C9CB5B6F4
__GetUnwindTryBlock.LIBCMT ref: 0000026C9CB5B6FE
_getptd.LIBCMT ref: 0000026C9CB5B754
_getptd.LIBCMT ref: 0000026C9CB5B767
_getptd.LIBCMT ref: 0000026C9CB5B773
_SetThrowImageBase.LIBCMT ref: 0000026C9CB5B787
_getptd.LIBCMT ref: 0000026C9CB5B7D7
_getptd.LIBCMT ref: 0000026C9CB5B7EA
_getptd.LIBCMT ref: 0000026C9CB5B7F6
type_info::operator==.LIBCMT ref: 0000026C9CB5B85D
std::exception::exception.LIBCMT ref: 0000026C9CB5B896
_getptd.LIBCMT ref: 0000026C9CB5BAC9
std::exception::exception.LIBCMT ref: 0000026C9CB5BB42

Strings

csm, xrefs: 0000026C9CB5B8BB
csm, xrefs: 0000026C9CB5B7A2
csm, xrefs: 0000026C9CB5B714

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BlockUnwind$std::exception::exception$BaseImageThrowtype_info::operator==
String ID: csm$csm$csm
API String ID: 3798665358-393685449
Opcode ID: eb9d16b6ff1c1c6764852427ea27808433c176a4d810e4af76dc441884f6b13f
Instruction ID: ee289789cb32f119109368eeb9613e1dcc1f9184995a30a6cc71b26e2b3542f1
Opcode Fuzzy Hash: eb9d16b6ff1c1c6764852427ea27808433c176a4d810e4af76dc441884f6b13f
Instruction Fuzzy Hash: 06F1B33061AA88CFEB58BF68C4593B973F1FB54301F64412EE48A932D2DB76D8458782

Function 0000026C9CB87A50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 0000026C9CB87A8E
malloc.LIBCMT ref: 0000026C9CB87AFA
free.LIBCMT ref: 0000026C9CB87B26
GdipGetImageEncoders.GDIPLUS ref: 0000026C9CB87B3F
free.LIBCMT ref: 0000026C9CB87B56
free.LIBCMT ref: 0000026C9CB87C2B
GdipCreateBitmapFromScan0.GDIPLUS ref: 0000026C9CB87C72
GdipSaveImageToStream.GDIPLUS ref: 0000026C9CB87C89
GdipDisposeImage.GDIPLUS ref: 0000026C9CB87C96
free.LIBCMT ref: 0000026C9CB87CAB
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 0000026C9CB87CC5
GdipSaveImageToStream.GDIPLUS ref: 0000026C9CB87CDC
GdipDisposeImage.GDIPLUS ref: 0000026C9CB87CE9
free.LIBCMT ref: 0000026C9CB87D06
GdipDisposeImage.GDIPLUS ref: 0000026C9CB87D15
free.LIBCMT ref: 0000026C9CB87D26

Strings

&, xrefs: 0000026C9CB87C5D

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$Image$free$Dispose$BitmapCreateEncodersFromSaveStream$Scan0Sizemalloc
String ID: &
API String ID: 1890951399-3042966939
Opcode ID: 60ad61b9c2a00a2fb8edbd6bf83d103515c805d4293a766110f50120b13cc51f
Instruction ID: 484ea45ed7d5c7d0c52dff3fd51aa6e3acc5107f4d1712decd6e9f3565aabc4f
Opcode Fuzzy Hash: 60ad61b9c2a00a2fb8edbd6bf83d103515c805d4293a766110f50120b13cc51f
Instruction Fuzzy Hash: 6B91AE33312A80C6EF24EF61C4A87B933B1E754B9CF694561EAA9277C4EF2AC4058340

Function 0000026C9CB87630 Relevance: 27.3, APIs: 18, Instructions: 283windowCOMMON

Download Yara Rule

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 0000026C9CB8766F
GdipGetImageHeight.GDIPLUS ref: 0000026C9CB876D8
GdipGetImageWidth.GDIPLUS ref: 0000026C9CB876F6
GdipGetImagePaletteSize.GDIPLUS ref: 0000026C9CB8773C
malloc.LIBCMT ref: 0000026C9CB877A2

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

free.LIBCMT ref: 0000026C9CB877CB
GdipGetImagePalette.GDIPLUS ref: 0000026C9CB877EA
GdipBitmapLockBits.GDIPLUS ref: 0000026C9CB878A7
free.LIBCMT ref: 0000026C9CB878C6
GdipCreateBitmapFromScan0.GDIPLUS ref: 0000026C9CB879BF
GdipGetImageGraphicsContext.GDIPLUS ref: 0000026C9CB879D4
GdipDrawImageI.GDIPLUS ref: 0000026C9CB879EC
GdipDeleteGraphics.GDIPLUS ref: 0000026C9CB879F5
GdipDisposeImage.GDIPLUS ref: 0000026C9CB879FE
free.LIBCMT ref: 0000026C9CB878E6

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

memcpy_s.LIBCMT ref: 0000026C9CB8792C
GdipBitmapUnlockBits.GDIPLUS ref: 0000026C9CB87968
free.LIBCMT ref: 0000026C9CB87A16

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Gdip$Image$free$Bitmap_errno$BitsGraphicsHeapPalette$AllocContextCreateDeleteDisposeDrawFormatFreeFromHeightLockPixelScan0SizeUnlockWidth_callnewhmallocmemcpy_s
String ID:
API String ID: 3799618542-0
Opcode ID: e8420e5db0a413dcbbb5ff5e2a4ca2867ef6350a45bdd43dbb9f23277287debd
Instruction ID: 8dea0f591f04c9e52f97371d227c62ea2c10d68a01bb8d317492eac824c6d01d
Opcode Fuzzy Hash: e8420e5db0a413dcbbb5ff5e2a4ca2867ef6350a45bdd43dbb9f23277287debd
Instruction Fuzzy Hash: 1DC1FC73202680CAEB20EF21C498BB93BB4F754B9CF654565EE9A67B85DF3AC500C740

Function 0000026C9CB83550 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0000026C9CB83572

Strings

Metascan, xrefs: 0000026C9CB8365A
Process, xrefs: 0000026C9CB8373E
CurrPorts, xrefs: 0000026C9CB8362A
ApateDNS, xrefs: 0000026C9CB835CA
Fiddler, xrefs: 0000026C9CB836D2
Wireshark, xrefs: 0000026C9CB83672
Sniff, xrefs: 0000026C9CB83716
TaskExplorer, xrefs: 0000026C9CB83612
Capsa, xrefs: 0000026C9CB83702, 0000026C9CB8372A
Malwarebytes, xrefs: 0000026C9CB835E2
Port, xrefs: 0000026C9CB83642
TCPEye, xrefs: 0000026C9CB835FA

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: VisibleWindow
String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
API String ID: 1208467747-3439171801
Opcode ID: 32ff9c33e7c21981f1e92648b8f3a94a06c835b35deeed59398db8ea4e336351
Instruction ID: e7ab9605f0ee486587228fcb21068719c009ffcfdf0c10155a2aa9eb465d3b7e
Opcode Fuzzy Hash: 32ff9c33e7c21981f1e92648b8f3a94a06c835b35deeed59398db8ea4e336351
Instruction Fuzzy Hash: 9B510D78343741C0FF99BB55E55877433F06B5A7E9F6864699CCE06399FA2BC8408704

Function 0000026C9CB8AD70 Relevance: 24.3, APIs: 16, Instructions: 279COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026C9CB8AD92
SetLastError.KERNEL32 ref: 0000026C9CB8ADB5

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a5f0163f4acb8b974cacfdb07cbf087a1492aeecdc8c13315bce12a0094e587a
Instruction ID: eb1f86bfe18019bcf7b280ae9b47f9cb941cb71a68690f4c38e1ba9d4c684d0d
Opcode Fuzzy Hash: a5f0163f4acb8b974cacfdb07cbf087a1492aeecdc8c13315bce12a0094e587a
Instruction Fuzzy Hash: 14B1BD32302A40CAEB64EB25E9987B933F5FB48B84F644465CE8E47B90EF3AD555C710

Function 000000014000B7F0 Relevance: 19.6, APIs: 13, Instructions: 121networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000B84F
WSASetLastError.WS2_32 ref: 000000014000B862
LeaveCriticalSection.KERNEL32 ref: 000000014000B86C
WSASetLastError.WS2_32 ref: 000000014000B8B7
LeaveCriticalSection.KERNEL32 ref: 000000014000B8C1
WSASetLastError.WS2_32 ref: 000000014000B989

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: 1c300547cf81033922c0f2f8a93969f9d7edcc1f4596588974520377087e211c
Instruction ID: 7ad27bf34863c6bf8fe744d9ce82e7e9009ef55e81a34259adc1220e4f2661f0
Opcode Fuzzy Hash: 1c300547cf81033922c0f2f8a93969f9d7edcc1f4596588974520377087e211c
Instruction Fuzzy Hash: 8A51F776204A408AE772DB27B4443AAB7A1F78DBE0F145125EB9A477B0DF79D885C700

Function 0000026C9CB99FD8 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 0000026C9CB9A030

Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA16FA
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA170C
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA171E
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA1730
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA1742
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA1754
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA1766
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA1778
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA178A
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA179C
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA17B1
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA17C6
Part of subcall function 0000026C9CBA16DC: free.LIBCMT ref: 0000026C9CBA17DB

free.LIBCMT ref: 0000026C9CB9A024

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

free.LIBCMT ref: 0000026C9CB9A046
__free_lconv_num.LIBCMT ref: 0000026C9CB9A052
free.LIBCMT ref: 0000026C9CB9A05E
free.LIBCMT ref: 0000026C9CB9A06A
free.LIBCMT ref: 0000026C9CB9A08E
free.LIBCMT ref: 0000026C9CB9A0A2
free.LIBCMT ref: 0000026C9CB9A0B1
free.LIBCMT ref: 0000026C9CB9A0BD
free.LIBCMT ref: 0000026C9CB9A0EA
free.LIBCMT ref: 0000026C9CB9A112
free.LIBCMT ref: 0000026C9CB9A12C

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: cb00de6662f5520fdc5f3791fe64273e5581ddefffeafd99a740971fc32c6413
Instruction ID: b50029db13986ea3d4274995a004026024313027ad888936ef6951ca8bacfa73
Opcode Fuzzy Hash: cb00de6662f5520fdc5f3791fe64273e5581ddefffeafd99a740971fc32c6413
Instruction Fuzzy Hash: 27410A36213684C9EF95BF25C4593BC33B4EB84B9CF684435DA8D4A296DF6AC981C720

Function 0000026C9CB90FD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 0000026C9CB90FF8
connect.WS2_32 ref: 0000026C9CB9101D
WSAGetLastError.WS2_32 ref: 0000026C9CB9102C
connect.WS2_32 ref: 0000026C9CB91067
WSAEventSelect.WS2_32 ref: 0000026C9CB91080
SetLastError.KERNEL32 ref: 0000026C9CB9109B
GetLastError.KERNEL32 ref: 0000026C9CB910B3
WSASetLastError.WS2_32 ref: 0000026C9CB910C5
send.WS2_32 ref: 0000026C9CB910E9
WSAGetLastError.WS2_32 ref: 0000026C9CB910F4

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 0000026C9CB91108

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$EventSelectconnect$send
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1826129850-4236689219
Opcode ID: dcf0498b7daf1886a9e955b361d597334a96f5170af3cf8f91b6c37e3f771d0e
Instruction ID: 980f0d10f20fc1db46c2f8c8b9264932f28bcabf5dc789f97f34c5eae2626533
Opcode Fuzzy Hash: dcf0498b7daf1886a9e955b361d597334a96f5170af3cf8f91b6c37e3f771d0e
Instruction Fuzzy Hash: 3B316431711550C3F760AF6AE59873932B0F748BA4FA04625DA9983EE4CF7BC8969700

Function 0000026C9CB932E0 Relevance: 18.1, APIs: 12, Instructions: 121networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000026C9CB9333F
WSASetLastError.WS2_32 ref: 0000026C9CB93352
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB9335C
WSASetLastError.WS2_32 ref: 0000026C9CB933A7
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB933B1
WSASetLastError.WS2_32 ref: 0000026C9CB93479

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Enter
String ID:
API String ID: 3650451384-0
Opcode ID: 21337f2ffdf3b93cbb6cca8b1675b67f4d5956b45ff553cf537671f279ca96a2
Instruction ID: c0a8bf9259a326facd32831eca03d99e55b51e2ed8f9d38450b81e999d3e0ac3
Opcode Fuzzy Hash: 21337f2ffdf3b93cbb6cca8b1675b67f4d5956b45ff553cf537671f279ca96a2
Instruction Fuzzy Hash: E0512C32245A40C7E771AF25E40833EB3B1F789B68F654225CADA43BA1DF7AD884C741

Function 0000026C9CB5AEA5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB5AED5
_getptd.LIBCMT ref: 0000026C9CB5AEE9
_getptd.LIBCMT ref: 0000026C9CB5AF23
_getptd.LIBCMT ref: 0000026C9CB5AF2F
_getptd.LIBCMT ref: 0000026C9CB5AF3B
_CreateFrameInfo.LIBCMT ref: 0000026C9CB5AF50

Part of subcall function 0000026C9CB557CD: _getptd.LIBCMT ref: 0000026C9CB557D9
Part of subcall function 0000026C9CB557CD: _getptd.LIBCMT ref: 0000026C9CB557E7
Part of subcall function 0000026C9CB557CD: _getptd.LIBCMT ref: 0000026C9CB557FB

_getptd.LIBCMT ref: 0000026C9CB5AF6E
_getptd.LIBCMT ref: 0000026C9CB5B074
_getptd.LIBCMT ref: 0000026C9CB5B080

Strings

csm, xrefs: 0000026C9CB5B034

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 371cf207fb1d4a3a8c67313975563ac93265a610aa77a25a5adbaa666b453dcc
Instruction ID: 805ac43ca0c8b55a4f004b1edc42d3dab0314a11762ff9579f349797210eabc0
Opcode Fuzzy Hash: 371cf207fb1d4a3a8c67313975563ac93265a610aa77a25a5adbaa666b453dcc
Instruction Fuzzy Hash: 26514C70559A48CFEBA4FF58C449BB973F0FB58311F64026EE089C3692D771E8428B86

Function 0000026C9CB9B3D4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB9B404

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

_getptd.LIBCMT ref: 0000026C9CB9B418
_getptd.LIBCMT ref: 0000026C9CB9B452
_getptd.LIBCMT ref: 0000026C9CB9B45E
_getptd.LIBCMT ref: 0000026C9CB9B46A
_CreateFrameInfo.LIBCMT ref: 0000026C9CB9B47F

Part of subcall function 0000026C9CB95CFC: _getptd.LIBCMT ref: 0000026C9CB95D08
Part of subcall function 0000026C9CB95CFC: _getptd.LIBCMT ref: 0000026C9CB95D16
Part of subcall function 0000026C9CB95CFC: _getptd.LIBCMT ref: 0000026C9CB95D2A

_getptd.LIBCMT ref: 0000026C9CB9B49D
_getptd.LIBCMT ref: 0000026C9CB9B5A3
_getptd.LIBCMT ref: 0000026C9CB9B5AF

Strings

csm, xrefs: 0000026C9CB9B563

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CreateFrameInfo_amsg_exit
String ID: csm
API String ID: 2825728721-1018135373
Opcode ID: bc2077fb82e993c6a671ee9943b81fbe161145c008b44bcd5635a92dfd771e75
Instruction ID: d7a01dd98470dc64c87c35a78233033a1841ebcbcc29636668c85071a0afe067
Opcode Fuzzy Hash: bc2077fb82e993c6a671ee9943b81fbe161145c008b44bcd5635a92dfd771e75
Instruction Fuzzy Hash: 91418C36116B80C2DB70AB12E4543BE73B4F788B98F654226EEDD47B91DB3AC4558700

Function 0000026C9CB92CD0 Relevance: 16.6, APIs: 11, Instructions: 107networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000026C9CB92D14
WSASetLastError.WS2_32 ref: 0000026C9CB92D26
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB92D30

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 5e2c67101b115eefd770f9530645276a89eac283016001a0172ea502d058b9de
Instruction ID: 6e01709a8ba1740ca42a514f380075336646ba5ebc0d647d1793daf810846aa5
Opcode Fuzzy Hash: 5e2c67101b115eefd770f9530645276a89eac283016001a0172ea502d058b9de
Instruction Fuzzy Hash: 8B418431712A50C3E718BB25E85C37D32B1FB85B95FA401219ED6477A2DF3BC8558341

Function 00007FF7F7340B60 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F7340B77
GetProcAddress.KERNEL32 ref: 00007FF7F7340B8C
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7F7340B9E
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F7340BD0
GetTickCount.KERNEL32 ref: 00007FF7F7340C30

Strings

default, xrefs: 00007FF7F7340BF1
QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded., xrefs: 00007FF7F7340BF8
GetTickCount64, xrefs: 00007FF7F7340B82
kernel32, xrefs: 00007FF7F7340B70

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: PerformanceQuery$AddressCountCounterFrequencyHandleModuleProcTick
String ID: GetTickCount64$QueryPerformanceCounter failed, although QueryPerformanceFrequency succeeded.$default$kernel32
API String ID: 3248421294-3823320790
Opcode ID: c59a33e538b6d16315bac9845251cd1345709dcc26705cc9562fa14b61e4d09c
Instruction ID: 462d9677e8ec569104387e57f3bd2d1d12d4bdad206f191f03066859951e1445
Opcode Fuzzy Hash: c59a33e538b6d16315bac9845251cd1345709dcc26705cc9562fa14b61e4d09c
Instruction Fuzzy Hash: A8214C68F0D74293FB14BF58E881635A3A0AF84750FA44039D86E433D0EFACE586C7A4

Function 0000026C9CB89DC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB89E11
RegDeleteValueW.ADVAPI32 ref: 0000026C9CB89E1F
RegCloseKey.ADVAPI32 ref: 0000026C9CB89E2A
RegCreateKeyW.ADVAPI32 ref: 0000026C9CB89E4A
lstrlenW.KERNEL32 ref: 0000026C9CB89E57
RegSetValueExW.ADVAPI32 ref: 0000026C9CB89E79
RegCloseKey.ADVAPI32 ref: 0000026C9CB89E84

Strings

AppEvents, xrefs: 0000026C9CB89DEE
Network, xrefs: 0000026C9CB89DE7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: AppEvents$Network
API String ID: 3197061591-3733486940
Opcode ID: 36e90fbbfea98bc956dd5aeff78b519238191f212cae5700653f1760c57783c9
Instruction ID: a062892193536aa8419f1131064cefab785ca99aad346a4cd974e2b0bb31fbcf
Opcode Fuzzy Hash: 36e90fbbfea98bc956dd5aeff78b519238191f212cae5700653f1760c57783c9
Instruction Fuzzy Hash: 93211F76615A40C7EB20AB12F80876AB7B5F784BE5F540121EED947B98CF7EC149CB04

Function 0000026C9CBA0D3C Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000026C9CBA0DD6
malloc.LIBCMT ref: 0000026C9CBA0E3F
MultiByteToWideChar.KERNEL32 ref: 0000026C9CBA0E73
LCMapStringW.KERNEL32 ref: 0000026C9CBA0E9A
LCMapStringW.KERNEL32 ref: 0000026C9CBA0EE2
malloc.LIBCMT ref: 0000026C9CBA0F3F

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

LCMapStringW.KERNEL32 ref: 0000026C9CBA0F74
WideCharToMultiByte.KERNEL32 ref: 0000026C9CBA0FB4
free.LIBCMT ref: 0000026C9CBA0FC8
free.LIBCMT ref: 0000026C9CBA0FD9

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 6d8b7b3dc11a15fff77c7ccf32e137587439f77b0189d775a4a507dbfda42e36
Instruction ID: b31086db0c9a3a0606dc5166162d75e7787c1ab7c55cd6249a3e958b0bc39ab8
Opcode Fuzzy Hash: 6d8b7b3dc11a15fff77c7ccf32e137587439f77b0189d775a4a507dbfda42e36
Instruction Fuzzy Hash: A381C432702780C6EB24AF25E54837E76F5F748BA8FA40625EADE57BD4DB3AD5108700

Function 0000026C9CB84390 Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000026C9CB843AD
OpenProcess.KERNEL32 ref: 0000026C9CB843BD
OpenProcessToken.ADVAPI32 ref: 0000026C9CB843E5
CloseHandle.KERNEL32 ref: 0000026C9CB843F2
SysStringLen.OLEAUT32 ref: 0000026C9CB84440
SysStringLen.OLEAUT32 ref: 0000026C9CB84453
CloseHandle.KERNEL32 ref: 0000026C9CB844BD
CloseHandle.KERNEL32 ref: 0000026C9CB844C6
SysFreeString.OLEAUT32 ref: 0000026C9CB844FC
SysFreeString.OLEAUT32 ref: 0000026C9CB84539

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: String$CloseHandleProcess$FreeOpen$CurrentToken
String ID:
API String ID: 3697972778-0
Opcode ID: c0b0e474b926fcc330e320d504bf00c551296146189a67d64404ddb141be6ede
Instruction ID: 7697a47a6120b880681a4e639a922daa21d8b6db6fabab5d74ffe06e4c48f774
Opcode Fuzzy Hash: c0b0e474b926fcc330e320d504bf00c551296146189a67d64404ddb141be6ede
Instruction Fuzzy Hash: 9C516F35202780C2FB64BB55E4683BA73B0FB84F98F284515DEDA47B95DF3AC8048B50

Function 0000026C9CBA0B64 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA0BAB
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA0BB7
_errno.LIBCMT ref: 0000026C9CBA0C01
_errno.LIBCMT ref: 0000026C9CBA0C0C
_errno.LIBCMT ref: 0000026C9CBA0C3E
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA0C48
WideCharToMultiByte.KERNEL32 ref: 0000026C9CBA0CBA
GetLastError.KERNEL32 ref: 0000026C9CBA0CD7
_errno.LIBCMT ref: 0000026C9CBA0CFD
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA0D09

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: 8a0d1357173deac69c26e3324236e112c1b1041ebc1a21b94e928fbcca27f017
Instruction ID: e2dce2e290126ea6f58e8720a36369c839806660ab40a7b1d7ec44c4733d82bd
Opcode Fuzzy Hash: 8a0d1357173deac69c26e3324236e112c1b1041ebc1a21b94e928fbcca27f017
Instruction Fuzzy Hash: 5E519032603740DAFB61BBA4E5483BC76F0A741BECFB44225DADE07AD5EB3A85458701

Function 00007FF7F733FE10 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 295COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 00007FF7F733FF6A
WaitForMultipleObjects.KERNEL32 ref: 00007FF7F733FFC5

Part of subcall function 00007FF7F7319CB0: _CxxThrowException.LIBVCRUNTIME ref: 00007FF7F7319CDF

CloseHandle.KERNEL32 ref: 00007FF7F7340081
GetLastError.KERNEL32 ref: 00007FF7F73401DB
TlsGetValue.KERNEL32 ref: 00007FF7F7340254

Strings

default, xrefs: 00007FF7F733FE55
QThread internal error while waiting for adopted threads: %d, xrefs: 00007FF7F73401E4
@, xrefs: 00007FF7F733FF87

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: MultipleObjectsWait$CloseErrorExceptionHandleLastThrowValue
String ID: @$QThread internal error while waiting for adopted threads: %d$default
API String ID: 260478653-2992040041
Opcode ID: a17424416e23380ba081f0f70fe6da9368696a7339bf18603e62f94c7f294120
Instruction ID: cb122cf76bef2fbee4d1071594781f610f44b12559b6ba723e1ac3792de06414
Opcode Fuzzy Hash: a17424416e23380ba081f0f70fe6da9368696a7339bf18603e62f94c7f294120
Instruction Fuzzy Hash: AFC1C439B0868696EB64AF25D4406B9B761FF44B94F944239D93D073E5DF3CE406C390

Function 0000026C9CB9A424 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000026C9CB9A445

Part of subcall function 0000026C9CB979CC: Sleep.KERNEL32 ref: 0000026C9CB97A11

GetFileType.KERNEL32 ref: 0000026C9CB9A5B0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026C9CB9A5EE

Strings

@, xrefs: 0000026C9CB9A6A9

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 70613ee20f0b469d2dc4fa8b7aa00a0ec4ba75fb24369761d5266e73a85542bd
Instruction ID: 2d05cb04e96c91e717245b8de591ab5073896691001096a10f645672ae6b5a19
Opcode Fuzzy Hash: 70613ee20f0b469d2dc4fa8b7aa00a0ec4ba75fb24369761d5266e73a85542bd
Instruction Fuzzy Hash: E8815876302B81C6EB54AF29D48C73977B0E755B78F648325CABA432D4EB3AC595C304

Function 0000026C9CB83DB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000026C9CB83E19
RegQueryInfoKeyW.ADVAPI32 ref: 0000026C9CB83E74
RegEnumKeyExW.ADVAPI32 ref: 0000026C9CB83F09
lstrlenW.KERNEL32 ref: 0000026C9CB83F13
lstrlenW.KERNEL32 ref: 0000026C9CB83F22

Part of subcall function 0000026C9CB94574: _errno.LIBCMT ref: 0000026C9CB94593
Part of subcall function 0000026C9CB94574: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9459F

Part of subcall function 0000026C9CB94574: _errno.LIBCMT ref: 0000026C9CB945E9

RegCloseKey.ADVAPI32 ref: 0000026C9CB83F6B
lstrlenW.KERNEL32 ref: 0000026C9CB83F88

Strings

Software\Tencent\Plugin\VAS, xrefs: 0000026C9CB83DFD

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: lstrlen$_errno$CloseEnumInfoOpenQuery_invalid_parameter_noinfo
String ID: Software\Tencent\Plugin\VAS
API String ID: 47975445-3343197220
Opcode ID: e7f4e84029ec382a2d93beb0de2337fa29a23218f62e48d748265e7efd93be2b
Instruction ID: 0b4ee992180514dfa3fdd301f25145e58012fb209d3eb3826da605d1db9ddb8f
Opcode Fuzzy Hash: e7f4e84029ec382a2d93beb0de2337fa29a23218f62e48d748265e7efd93be2b
Instruction Fuzzy Hash: 37514332615B81C6E760EB25E8843FE77B5F788748FA00126EACD43A58DF3AC559CB40

Function 0000026C9CB91A60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB913F0: EnterCriticalSection.KERNEL32 ref: 0000026C9CB9141E
Part of subcall function 0000026C9CB913F0: LeaveCriticalSection.KERNEL32 ref: 0000026C9CB91472

send.WS2_32 ref: 0000026C9CB91AC3
EnterCriticalSection.KERNEL32 ref: 0000026C9CB91AD6
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB91AE9
SetLastError.KERNEL32 ref: 0000026C9CB91AF1
WSAGetLastError.WS2_32 ref: 0000026C9CB91B6E
EnterCriticalSection.KERNEL32 ref: 0000026C9CB91B82
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB91BC8

Strings

<C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!, xrefs: 0000026C9CB91B14

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLast$send
String ID: <C-CNNID: %Iu> OnSend() event should not return 'HR_ERROR' !!
API String ID: 484515946-1981346945
Opcode ID: 3feb2db3476dfe5488b86a50e82330a31573681218d9595143e5917083d90cfd
Instruction ID: ead18342235b0465aa0f79f2e957b4502e070f2451af1af34a829d5fecc14a3a
Opcode Fuzzy Hash: 3feb2db3476dfe5488b86a50e82330a31573681218d9595143e5917083d90cfd
Instruction Fuzzy Hash: A8517C32206B40C2EB64AF22E5483BEB3B4F749B94F640515DBDA47BA5EF3AD495C700

Function 0000026C9CBA23A4 Relevance: 13.7, APIs: 9, Instructions: 242COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA23F5
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA2400

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 5b15c66cd6d411bd027aebc04f631a0e3f4aaa2a84db44a19bfb65910699da26
Instruction ID: 2ad578a828f3e7dcca5b6841372cd18c75f779e616187c9de3e27487977eb1a4
Opcode Fuzzy Hash: 5b15c66cd6d411bd027aebc04f631a0e3f4aaa2a84db44a19bfb65910699da26
Instruction Fuzzy Hash: 82A1C372713740CAFB60AB64D64837D76F5B7447A8F244615DEDD03AEADB3AC8828702

Function 0000026C9CB65789 Relevance: 13.6, APIs: 9, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB657B2
_errno.LIBCMT ref: 0000026C9CB657BB
__doserrno.LIBCMT ref: 0000026C9CB65819
_errno.LIBCMT ref: 0000026C9CB65820
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB65884

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction ID: 7637da5ca6ab5230df90213ba189ae6692777f3ca119276d888667982f53bfae
Opcode Fuzzy Hash: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction Fuzzy Hash: 0031C47010A644CEF3097F68D88E3B977E0EB45320F25065CE8C6873E3DA76A82646D2

Function 0000026C9CB92690 Relevance: 13.6, APIs: 9, Instructions: 109networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB915C0: SwitchToThread.KERNEL32 ref: 0000026C9CB915FA

SetLastError.KERNEL32 ref: 0000026C9CB92761
GetLastError.KERNEL32 ref: 0000026C9CB927D8

Part of subcall function 0000026C9CB90FD0: WSAEventSelect.WS2_32 ref: 0000026C9CB90FF8
Part of subcall function 0000026C9CB90FD0: connect.WS2_32 ref: 0000026C9CB9101D
Part of subcall function 0000026C9CB90FD0: WSAGetLastError.WS2_32 ref: 0000026C9CB9102C

ResetEvent.KERNEL32 ref: 0000026C9CB927A6
WSAGetLastError.WS2_32 ref: 0000026C9CB927C9
WSAGetLastError.WS2_32 ref: 0000026C9CB927F1
WSAGetLastError.WS2_32 ref: 0000026C9CB92800
SetLastError.KERNEL32 ref: 0000026C9CB9280F
GetLastError.KERNEL32 ref: 0000026C9CB92827
SetLastError.KERNEL32 ref: 0000026C9CB9283A

Part of subcall function 0000026C9CB90EF0: htons.WS2_32 ref: 0000026C9CB90F64
Part of subcall function 0000026C9CB90EF0: bind.WS2_32 ref: 0000026C9CB90F98

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$Event$ResetSelectSwitchThreadbindconnecthtons
String ID:
API String ID: 1298600207-0
Opcode ID: 6976ed68a7b460f545eb79997a661905af692d36da6c8cd53b89725313569a83
Instruction ID: d64727576c8a6d2d868d0a146045c9de92c4c7019b67b1b58c249258549f4aa9
Opcode Fuzzy Hash: 6976ed68a7b460f545eb79997a661905af692d36da6c8cd53b89725313569a83
Instruction Fuzzy Hash: B2414932A06B40C3EB64AB22E64837E73B5FB48B85F604025DBCA43B95DF7AC465C741

Function 00007FF7F73197B0 Relevance: 13.6, APIs: 9, Instructions: 91COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FF7F73197E4
VerSetConditionMask.KERNEL32 ref: 00007FF7F73197F3
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F7319842
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F731986A
VerSetConditionMask.KERNEL32 ref: 00007FF7F7319889
VerSetConditionMask.KERNEL32 ref: 00007FF7F731989A
VerSetConditionMask.KERNEL32 ref: 00007FF7F73198AB
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F73198C1
VerifyVersionInfoW.KERNEL32 ref: 00007FF7F73198EA

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 10c6aff73516db3e0e7fc4b1498109461d770d16e70cbd1f77bc26cf72f8573f
Instruction ID: a0f00240da1131b8a103700ccea5a8166bde9bbb3ef933b585e6de062ed2acd5
Opcode Fuzzy Hash: 10c6aff73516db3e0e7fc4b1498109461d770d16e70cbd1f77bc26cf72f8573f
Instruction Fuzzy Hash: 7941A336A08681C7D724DF11E44426ABBA1FB8CB94F448139DA9E47B98DF3CD606CF90

Function 0000026C9CBA5CB8 Relevance: 13.6, APIs: 9, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CBA5CE1
_errno.LIBCMT ref: 0000026C9CBA5CEA
__doserrno.LIBCMT ref: 0000026C9CBA5D48
_errno.LIBCMT ref: 0000026C9CBA5D4F
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA5DB3

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction ID: 6522c1e9105f12bb08af5a6e5364c446bc0fb74b7d41a2b71f2f631d75a38269
Opcode Fuzzy Hash: 93f627117ff418e048685a1d2756b48fc0f2c634aa3720686b95d148af7d0f99
Instruction Fuzzy Hash: 3F31E431202650C6E3567FA5D89E77E3AB1A7817E4F354119EAD0073D3EA7AC944C740

Function 00007FF7F7380D80 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825D0
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825E7
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825FE
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F7382615
Part of subcall function 00007FF7F7382530: GetCurrentProcess.KERNEL32 ref: 00007FF7F7382630
Part of subcall function 00007FF7F7382530: OpenProcessToken.ADVAPI32 ref: 00007FF7F738265C
Part of subcall function 00007FF7F7382530: GetTokenInformation.ADVAPI32 ref: 00007FF7F7382688
Part of subcall function 00007FF7F7382530: GetTokenInformation.ADVAPI32 ref: 00007FF7F73826BC
Part of subcall function 00007FF7F7382530: GetLengthSid.ADVAPI32 ref: 00007FF7F73826CC
Part of subcall function 00007FF7F7382530: CopySid.ADVAPI32 ref: 00007FF7F73826EA

GetCurrentProcess.KERNEL32 ref: 00007FF7F7380DC6
OpenProcessToken.ADVAPI32 ref: 00007FF7F7380DDA
CloseHandle.KERNEL32 ref: 00007FF7F7380E94

Strings

HOME, xrefs: 00007FF7F73810B8
HOMEPATH, xrefs: 00007FF7F7380F58
USERPROFILE, xrefs: 00007FF7F7380EB5
HOMEDRIVE, xrefs: 00007FF7F7380F78

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProcProcessToken$CurrentInformationOpen$CloseCopyHandleLength
String ID: HOME$HOMEDRIVE$HOMEPATH$USERPROFILE
API String ID: 2161948334-698974742
Opcode ID: 522bbb0ce41df5e904172ec52821add264b1887ae4c821b0e5e19679b0eeeca8
Instruction ID: 5e74f50ce7ca11b88d923f929c1c41af4d8a1bf66f4390f4b748576b5c3c7c32
Opcode Fuzzy Hash: 522bbb0ce41df5e904172ec52821add264b1887ae4c821b0e5e19679b0eeeca8
Instruction Fuzzy Hash: 1CE1803AB05A819BEB10EF35D8901BCB3A0FF44768F944539DA2D876D5DE38E806C790

Function 0000026C9CB87F30 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000026C9CB880B0

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

Part of subcall function 0000026C9CB93E0C: _errno.LIBCMT ref: 0000026C9CB93E2B
Part of subcall function 0000026C9CB93E0C: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB93E37

swprintf.LIBCMT ref: 0000026C9CB881DA
swprintf.LIBCMT ref: 0000026C9CB8825B

Strings

%s %s, xrefs: 0000026C9CB8809C, 0000026C9CB88115, 0000026C9CB881C6, 0000026C9CB88247
plugmark, xrefs: 0000026C9CB87FD2
onlyloadinmyself, xrefs: 0000026C9CB87F57

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf$_errno_invalid_parameter_noinfomalloc
String ID: %s %s$onlyloadinmyself$plugmark
API String ID: 3059695456-591889663
Opcode ID: bd173990919955496a5d2fd31b15c617698a0f7984e0d23985bbef0f184765d7
Instruction ID: 112a351b15e418f9d82a14736171bdb99e97cf3d639d6e15b4a629b4b668b9f6
Opcode Fuzzy Hash: bd173990919955496a5d2fd31b15c617698a0f7984e0d23985bbef0f184765d7
Instruction Fuzzy Hash: 29A1AC36301A85C6FB10EF66D4883B977B1E789BC8F648025DE8D0BBA6DE3AC5458350

Function 00007FF7F73405C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF7F7340708
GetThreadPriority.KERNEL32 ref: 00007FF7F7340711
SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Strings

QThread::start: Failed to create thread, xrefs: 00007FF7F73406A9
QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Priority$CurrentResume
String ID: QThread::start: Failed to create thread$QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 682968308-3963483154
Opcode ID: a895a4ec4cb16228a666090ac22768035e26b0b9b9618cbf51015f0cb63221b3
Instruction ID: f5d13dc73c942cf0d27d33b702d94afb39e38e3b859f2c46780f8fd37fbd0553
Opcode Fuzzy Hash: a895a4ec4cb16228a666090ac22768035e26b0b9b9618cbf51015f0cb63221b3
Instruction Fuzzy Hash: FD417229B08785A6E758BF24A9112B8A391FF84774F944338DA7D032E1DF3CE456C7A1

Function 0000026C9CB89780 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000026C9CB897FD
WriteFile.KERNEL32 ref: 0000026C9CB8982E
CloseHandle.KERNEL32 ref: 0000026C9CB8983B
lstrlenW.KERNEL32 ref: 0000026C9CB89846
wsprintfW.USER32 ref: 0000026C9CB8986C

Strings

%s %s, xrefs: 0000026C9CB89865

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: File$CloseCreateHandleWritelstrlenwsprintf
String ID: %s %s
API String ID: 2369136734-2939940506
Opcode ID: 09ce7afcb9fb6050578c75cf102adc5c64cf37ae564d7fe82caabfb4846adaf7
Instruction ID: ee3f04a4aa89438c6cbf04b7e19ac5f143f7fde17174a66f7dfa08b25cda371d
Opcode Fuzzy Hash: 09ce7afcb9fb6050578c75cf102adc5c64cf37ae564d7fe82caabfb4846adaf7
Instruction Fuzzy Hash: A8318131615A85D6FB20EF21E8887BBB3B1F7C4794FA44111AACD47A98DF3AC549CB00

Function 0000026C9CB60635 Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB6067C
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB60688
_errno.LIBCMT ref: 0000026C9CB606D2
_errno.LIBCMT ref: 0000026C9CB606DD
_errno.LIBCMT ref: 0000026C9CB6070F
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB60719
_errno.LIBCMT ref: 0000026C9CB607CE
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB607DA

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 4947a362412c4fceee330a8e71a7679ddf0a543ef0673e77153d394316c0f519
Instruction ID: 429307cffb5f93a16766092f5a489fd07237edef76ae89a1cad16305e7c9425f
Opcode Fuzzy Hash: 4947a362412c4fceee330a8e71a7679ddf0a543ef0673e77153d394316c0f519
Instruction Fuzzy Hash: 7B510530516A0ACBFBA5BB19D44C3B97AF0FB94330FB44229D4C9C62CACA36C8418B45

Function 0000026C9CB8D3C0 Relevance: 12.1, APIs: 8, Instructions: 120synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000026C9CB8D3F9
SetLastError.KERNEL32 ref: 0000026C9CB8D408
CloseHandle.KERNEL32 ref: 0000026C9CB8D41D
CloseHandle.KERNEL32 ref: 0000026C9CB8D445
CloseHandle.KERNEL32 ref: 0000026C9CB8D46D
DeleteCriticalSection.KERNEL32 ref: 0000026C9CB8D4F5
free.LIBCMT ref: 0000026C9CB8D538
CloseHandle.KERNEL32 ref: 0000026C9CB8D55B

Part of subcall function 0000026C9CB91710: GetCurrentThreadId.KERNEL32 ref: 0000026C9CB9171D

Part of subcall function 0000026C9CB872B0: GdipDisposeImage.GDIPLUS ref: 0000026C9CB872ED
Part of subcall function 0000026C9CB872B0: GdipFree.GDIPLUS ref: 0000026C9CB872FB

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandle$Gdip$CriticalCurrentDeleteDisposeErrorFreeImageLastObjectSectionSingleThreadWaitfree
String ID:
API String ID: 1027730736-0
Opcode ID: 347c1ec12ef1d2ec7bf1145c1b6afb1a60276238f096c0ea2858b635a1103b41
Instruction ID: 6ed712cd821bc1b6932e580d80055b1d4e2d6932114aa4b55727c9669bea3ea1
Opcode Fuzzy Hash: 347c1ec12ef1d2ec7bf1145c1b6afb1a60276238f096c0ea2858b635a1103b41
Instruction Fuzzy Hash: 3B515032203B41C6FB55AF34D4983BD33B4EB81B98F68457A9A9A876E5CF36C8558310

Function 00007FF7F7333920 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strchr.LIBVCRUNTIME ref: 00007FF7F73339CA

Strings

QObject::%s: No such %s %s::%s%s%s, xrefs: 00007FF7F7333A45
slot, xrefs: 00007FF7F733395C
default, xrefs: 00007FF7F73339DB
QObject::%s: Parentheses expected, %s %s::%s%s%s, xrefs: 00007FF7F7333A21
method, xrefs: 00007FF7F7333936
in , xrefs: 00007FF7F73339F1
signal, xrefs: 00007FF7F7333953

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: strchr
String ID: in $QObject::%s: No such %s %s::%s%s%s$QObject::%s: Parentheses expected, %s %s::%s%s%s$default$method$signal$slot
API String ID: 2830005266-1438824482
Opcode ID: ed1abf882f2c03d4d3c043e58149050cc9689118d8bd9510a25f0b8134be170e
Instruction ID: b0cda2fd8dc08de9555a02a6ac77df9667b087fd9d1a7af5e634bdc2d227320e
Opcode Fuzzy Hash: ed1abf882f2c03d4d3c043e58149050cc9689118d8bd9510a25f0b8134be170e
Instruction Fuzzy Hash: 1C41B226A09B8192EB60AF00A8402B9B7A1FF85B90F848139DE7D03BD5DF3CD446D390

Function 0000026C9CB92BC0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026C9CB92BF6
TryEnterCriticalSection.KERNEL32 ref: 0000026C9CB92C0F
TryEnterCriticalSection.KERNEL32 ref: 0000026C9CB92C2B
SetLastError.KERNEL32 ref: 0000026C9CB92C47
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB92C51
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB92C5B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: aceef0d8f6cd6c68b7d24092875a9f92703ae0e2651d92f7e848195387b296dd
Instruction ID: b4e7f089d26b888c0d45c6a61a452a046993f1a4652cccc548b9489de251008b
Opcode Fuzzy Hash: aceef0d8f6cd6c68b7d24092875a9f92703ae0e2651d92f7e848195387b296dd
Instruction Fuzzy Hash: 49216D31605A40CBE368AB25E44837E33B1F789BA8F7402209ED697AA6DF3AC445C701

Function 0000026C9CB8F160 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB8F376
malloc.LIBCMT ref: 0000026C9CB8F45D

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

Strings

input wins: %lu, xrefs: 0000026C9CB8F4FE
[RI] %d bytes, xrefs: 0000026C9CB8F19A
input probe, xrefs: 0000026C9CB8F4D5
input psh: sn=%lu ts=%lu, xrefs: 0000026C9CB8F40E
input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 0000026C9CB8F3D1

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 71f902fbc9141746ee0dab03b95b383ee8bd6d96c1cc4bade1ccfda00f101f5a
Instruction ID: b71de6f3379f58900f4fc9f34855504e3d3208fd8580c4f930387f12819867c3
Opcode Fuzzy Hash: 71f902fbc9141746ee0dab03b95b383ee8bd6d96c1cc4bade1ccfda00f101f5a
Instruction Fuzzy Hash: DEE1A272606690CBE774EF29E48877E7BB1F395788F244451DBD683B99DA3AD840CB00

Function 0000026C9CB93530 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

bad allocation, xrefs: 0000026C9CB93641, 0000026C9CB93790

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: bad allocation
API String ID: 0-2104205924
Opcode ID: e8f0598dbd45f399888059267843e7640e179de0418f77ab1c84c48c3c6fc7e4
Instruction ID: f07756a689856a11aa47122bd3e39ec20cd2568fc8818c720a6ffdf7fc0a27ea
Opcode Fuzzy Hash: e8f0598dbd45f399888059267843e7640e179de0418f77ab1c84c48c3c6fc7e4
Instruction Fuzzy Hash: 8D81BF76706B80C2EB60AB01F598BBAB7B0F758BD8F644121DEC907B99DB3AC445C700

Function 0000026C9CB88E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

GetLastInputInfo.USER32 ref: 0000026C9CB88E80
GetTickCount.KERNEL32 ref: 0000026C9CB88E86
wsprintfW.USER32 ref: 0000026C9CB88EB7
GetForegroundWindow.USER32 ref: 0000026C9CB88EBD
GetWindowTextW.USER32 ref: 0000026C9CB88ED5

Strings

%d min, xrefs: 0000026C9CB88EB0

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Window$CountForegroundInfoInputLastTextTickmallocwsprintf
String ID: %d min
API String ID: 4179731349-1947832151
Opcode ID: 422eb00071ef3fa8c2918f9fc1214eccc8ab5220253c98e71f31a22b5cd05278
Instruction ID: 1e9215dca510f4cb37dd90eb7a91d45591ec55d112e2199f305c1a38137e0754
Opcode Fuzzy Hash: 422eb00071ef3fa8c2918f9fc1214eccc8ab5220253c98e71f31a22b5cd05278
Instruction Fuzzy Hash: 6241B172605684C7E764EF2AE4483BAB7B1F788B84F644125EE8A47B54DF3AC505CF00

Function 0000026C9CB953DC Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB995AC: HeapCreate.KERNEL32 ref: 0000026C9CB995C2
Part of subcall function 0000026C9CB995AC: GetVersion.KERNEL32 ref: 0000026C9CB995D4
Part of subcall function 0000026C9CB995AC: HeapSetInformation.KERNEL32 ref: 0000026C9CB995F2

_RTC_Initialize.LIBCMT ref: 0000026C9CB9540E
GetCommandLineA.KERNEL32 ref: 0000026C9CB95413

Part of subcall function 0000026C9CB9AB64: GetEnvironmentStringsW.KERNEL32 ref: 0000026C9CB9AB7D
Part of subcall function 0000026C9CB9AB64: WideCharToMultiByte.KERNEL32 ref: 0000026C9CB9ABD4
Part of subcall function 0000026C9CB9AB64: WideCharToMultiByte.KERNEL32 ref: 0000026C9CB9AC0F
Part of subcall function 0000026C9CB9AB64: free.LIBCMT ref: 0000026C9CB9AC1C
Part of subcall function 0000026C9CB9AB64: FreeEnvironmentStringsW.KERNEL32 ref: 0000026C9CB9AC27

Part of subcall function 0000026C9CB9A424: GetStartupInfoW.KERNEL32 ref: 0000026C9CB9A445

__setargv.LIBCMT ref: 0000026C9CB9543C
_cinit.LIBCMT ref: 0000026C9CB95450

Part of subcall function 0000026C9CB96E44: FlsFree.KERNEL32 ref: 0000026C9CB96E53
Part of subcall function 0000026C9CB96E44: DeleteCriticalSection.KERNEL32 ref: 0000026C9CB9E8EB
Part of subcall function 0000026C9CB96E44: free.LIBCMT ref: 0000026C9CB9E8F4
Part of subcall function 0000026C9CB96E44: DeleteCriticalSection.KERNEL32 ref: 0000026C9CB9E91B

Part of subcall function 0000026C9CB9A6F8: free.LIBCMT ref: 0000026C9CB9A749

Part of subcall function 0000026C9CB979CC: Sleep.KERNEL32 ref: 0000026C9CB97A11

FlsSetValue.KERNEL32 ref: 0000026C9CB954EA
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB954FE
free.LIBCMT ref: 0000026C9CB9550D

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentInfoInformationInitializeLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 2481119767-0
Opcode ID: fa810e96e6b49a81c5a3de3deb820a248b92c227eb375945ca1b424efe49a0c5
Instruction ID: 3737a9570037b712ae191be714f8b2416b3819e6e03301eaee5be58e8c98341e
Opcode Fuzzy Hash: fa810e96e6b49a81c5a3de3deb820a248b92c227eb375945ca1b424efe49a0c5
Instruction Fuzzy Hash: 9E319030A83602C6FFA477B1D94E37D32B19B2176DF344224D8D5462D7EE2BC8499622

Function 0000026C9CB5E66D Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB5E690
_errno.LIBCMT ref: 0000026C9CB5E698

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 30668c2f20c6f80ff7138b934324c66d2765922e04ca970253a5424b5db80f86
Instruction ID: 6c8a879f0a69108fd231bd41c627f60009261369c5590c101156878ed99a7a06
Opcode Fuzzy Hash: 30668c2f20c6f80ff7138b934324c66d2765922e04ca970253a5424b5db80f86
Instruction Fuzzy Hash: FD210E316197C4CEF3197B58D84A3F972E0EB49360F300259E5C5872E3D669AC018651

Function 0000026C9CB5EEB1 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB5EED4
_errno.LIBCMT ref: 0000026C9CB5EEDC

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: bcb02bae539d5dc8e5dc439c059f32d07212becae44f91b8e5163380297e7527
Instruction ID: 92dfc75f1744bc4c46a4af8fb3f8c3246982c919585d78023a96daad026802aa
Opcode Fuzzy Hash: bcb02bae539d5dc8e5dc439c059f32d07212becae44f91b8e5163380297e7527
Instruction Fuzzy Hash: 1C212B3161A7C4CFF7187B58D88E3BC76E0EB45320F340249E9D5472E3DAAA98414692

Function 00007FF7F7340970 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F73409B8
WaitForSingleObject.KERNEL32 ref: 00007FF7F7340A33
CloseHandle.KERNEL32 ref: 00007FF7F7340A8C

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

default, xrefs: 00007FF7F73409D8
QThread::wait: Thread wait failure, xrefs: 00007FF7F7340A42
QThread::wait: Thread tried to wait on itself, xrefs: 00007FF7F73409E4

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCurrentHandleInit_thread_footerObjectSingleThreadWait
String ID: QThread::wait: Thread tried to wait on itself$QThread::wait: Thread wait failure$default
API String ID: 3558220368-2839480340
Opcode ID: 5606b09bc6a5dc592dbef470d28760f875ccfb88470aa8651be09fd3ff341b3a
Instruction ID: 7e1117f69a304c8ff554c772c02bb8680a8522add4b29d582510e809961a02b8
Opcode Fuzzy Hash: 5606b09bc6a5dc592dbef470d28760f875ccfb88470aa8651be09fd3ff341b3a
Instruction Fuzzy Hash: 1841B727B186C2A2E768AF359805378A390FF44774F984339DA7D032E1CF38E45683A0

Function 0000026C9CB91280 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000026C9CB912C2
SetLastError.KERNEL32 ref: 0000026C9CB912F0
GetLastError.KERNEL32 ref: 0000026C9CB91325
WSAGetLastError.WS2_32 ref: 0000026C9CB91364

Strings

<C-CNNID: %Iu> recv 0 bytes (detect package), xrefs: 0000026C9CB91389
<C-CNNID: %Iu> OnReceive() event return 'HR_ERROR', connection will be closed !, xrefs: 0000026C9CB91319

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$recv
String ID: <C-CNNID: %Iu> OnReceive() event return 'HR_ERROR', connection will be closed !$<C-CNNID: %Iu> recv 0 bytes (detect package)
API String ID: 316788870-281152440
Opcode ID: e006504f11bb0893ad072e5ecebb35c70b253aa6bceec88274e66d0847f92e8c
Instruction ID: e3daca179ad8811508077ee51d83b8578a6548adc74768e2333d6e9445db05f7
Opcode Fuzzy Hash: e006504f11bb0893ad072e5ecebb35c70b253aa6bceec88274e66d0847f92e8c
Instruction Fuzzy Hash: 67314172606A40C6EB90AF36E48877E37F0F748B9CF645125DE89C7799DB3AC8819740

Function 0000026C9CB83FE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000026C9CB83FEA
CoCreateInstance.OLE32 ref: 0000026C9CB8400E
SysFreeString.OLEAUT32 ref: 0000026C9CB840D8
CoUninitialize.OLE32 ref: 0000026C9CB84125

Strings

Network, xrefs: 0000026C9CB83FE0
FriendlyName, xrefs: 0000026C9CB840C0

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateFreeInitializeInstanceStringUninitialize
String ID: FriendlyName$Network
API String ID: 841178590-1437807293
Opcode ID: c51619dea522e0c55fc0899b43e0b55aa5e9855a9860aea8fcd38e191733d5da
Instruction ID: d33c5d3faed8d27face61a78b6bc0981662f48ab08698d02bbc5cd07b378ecd3
Opcode Fuzzy Hash: c51619dea522e0c55fc0899b43e0b55aa5e9855a9860aea8fcd38e191733d5da
Instruction Fuzzy Hash: 2D31EE36205A86C2EB50DF35E4947AA77B4F7C4B95F654012DACE83B24DF3AC589CB40

Function 0000026C9CB89EA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000026C9CB89EB0
GetFileAttributesW.KERNEL32 ref: 0000026C9CB89F3A
GetLastError.KERNEL32 ref: 0000026C9CB89F45
CreateProcessW.KERNEL32 ref: 0000026C9CB89FAA

Strings

WinSta0\Default, xrefs: 0000026C9CB89F60
h, xrefs: 0000026C9CB89FA2

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: c8e2f4124be8c9a6e4893f230f4c199dab45ef929636d0fe5c6bc72b415117a5
Instruction ID: aada8a8c7bf9a7c04e73552dc4209205bc1e3ddd75f13ce39bad34d6a5923bab
Opcode Fuzzy Hash: c8e2f4124be8c9a6e4893f230f4c199dab45ef929636d0fe5c6bc72b415117a5
Instruction Fuzzy Hash: 2E318131605681C2EB64EB25F4593BEB3F1E7847D4F604231AAED47B99EF3AC4458B00

Function 0000026C9CB5F735 Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB5F759
_errno.LIBCMT ref: 0000026C9CB5F772
write_char.LIBCMT ref: 0000026C9CB5F788
_errno.LIBCMT ref: 0000026C9CB5F796
write_char.LIBCMT ref: 0000026C9CB5F7AB
_errno.LIBCMT ref: 0000026C9CB5F7B4
_errno.LIBCMT ref: 0000026C9CB5F7BE

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction ID: a4601b0cae3f31b5dad24c166ec9023707c11a00adf9264c8a179d430478d3e8
Opcode Fuzzy Hash: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction Fuzzy Hash: D4213B30515B88CFEB64BA98D44A375B3F0EB69311F31015AE699C72E2DA75DC81CB82

Function 00007FF7F733F9E0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7F7340290: _Init_thread_footer.LIBCMT ref: 00007FF7F734030B
Part of subcall function 00007FF7F7340290: TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F732F780), ref: 00007FF7F734031C

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F732F780), ref: 00007FF7F733FA07
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F732F780), ref: 00007FF7F733FA53
GetCurrentThreadId.KERNEL32 ref: 00007FF7F733FA8A
GetCurrentProcess.KERNEL32 ref: 00007FF7F733FAB6
GetCurrentThread.KERNEL32 ref: 00007FF7F733FABF
GetCurrentProcess.KERNEL32 ref: 00007FF7F733FAC8
DuplicateHandle.KERNEL32 ref: 00007FF7F733FAF4

Part of subcall function 00007FF7F7340350: GetCurrentThreadId.KERNEL32 ref: 00007FF7F7340387
Part of subcall function 00007FF7F7340350: CloseHandle.KERNEL32 ref: 00007FF7F7340398

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Current$Thread$HandleProcessValue$AllocCloseDuplicateInit_thread_footer
String ID:
API String ID: 1145076070-0
Opcode ID: 408a2b34e50e2ba976580d2fae296fcd2328d94a12b92b755e17d9db50ea5d54
Instruction ID: 8ee2f6b971d59fc417913c188df7d99589d4934a7bb5576a90c4a70a8e099eb9
Opcode Fuzzy Hash: 408a2b34e50e2ba976580d2fae296fcd2328d94a12b92b755e17d9db50ea5d54
Instruction Fuzzy Hash: 0731103991978293EB90AB15A444269B2A1FF45BA0F940238DABE077D5DF3CF046C7A0

Function 0000026C9CB65961 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB6597A
_errno.LIBCMT ref: 0000026C9CB65982
_close_nolock.LIBCMT ref: 0000026C9CB659D9

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 663138914dc975fbd29fce16c083a78efe6195e4759d07de2d0406a2aad54802
Instruction ID: 5cc5dedca658c94836696732a0df01bd55a3a7608c2f02ca2b41d40ea8090122
Opcode Fuzzy Hash: 663138914dc975fbd29fce16c083a78efe6195e4759d07de2d0406a2aad54802
Instruction Fuzzy Hash: 2321D23111AA44CEF3147F65D98E3B876B0EB81331F350A1CE4DA872E3CA7698948752

Function 0000026C9CB902E0 Relevance: 10.6, APIs: 7, Instructions: 67windowtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0000026C9CB9030E
timeGetTime.WINMM ref: 0000026C9CB9032B
MsgWaitForMultipleObjects.USER32 ref: 0000026C9CB9034B
PeekMessageW.USER32 ref: 0000026C9CB9036A
TranslateMessage.USER32 ref: 0000026C9CB90379
DispatchMessageW.USER32 ref: 0000026C9CB90384
PeekMessageW.USER32 ref: 0000026C9CB9039F

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: a6a614697040017534cd3b1d3e96cc5a4ea4528f5d59ece13cf00c21120499df
Instruction ID: d355eeae27097f1c311f8b5790f7bf03b1768cb38e137b36cbe8c4d9d3e26622
Opcode Fuzzy Hash: a6a614697040017534cd3b1d3e96cc5a4ea4528f5d59ece13cf00c21120499df
Instruction Fuzzy Hash: 76218331725A51C7E7609B25F888F3A76B0F79CB58FE05211EED943E94DB3AC8458B40

Function 0000026C9CB9F3E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB9F403
_errno.LIBCMT ref: 0000026C9CB9F40B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 821f5293a29abbd7863e97bfbf14561feb01f87c9b858ffea3149c09338b6ff9
Instruction ID: 3a28a55326589f3326ff1570ab482307a3fe6c1a5cec53d8af19b35186103d3b
Opcode Fuzzy Hash: 821f5293a29abbd7863e97bfbf14561feb01f87c9b858ffea3149c09338b6ff9
Instruction Fuzzy Hash: D4210132312940C5F3167B65D89A37D3B70A781BF9F294114EA94073D3DABA84808354

Function 00000001400087F0 Relevance: 10.6, APIs: 7, Instructions: 67windowtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000881E
timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000883B
MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140008983), ref: 000000014000885B
PeekMessageW.USER32 ref: 000000014000887A
TranslateMessage.USER32 ref: 0000000140008889
DispatchMessageW.USER32 ref: 0000000140008894
PeekMessageW.USER32 ref: 00000001400088AF

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: f519665c691364a73c8828fb6620903fabd3b4a25194a309f82e53ada5401924
Instruction ID: 305f93d56b7a1220d1d78e3cac75812468a422e5bfdccfe149107610b3fc70fd
Opcode Fuzzy Hash: f519665c691364a73c8828fb6620903fabd3b4a25194a309f82e53ada5401924
Instruction Fuzzy Hash: 0C21C472720A5086E771CB22F844F9A7690F79CBE4F905210FFA943AA4DF39C541DB00

Function 0000026C9CB9EB9C Relevance: 10.6, APIs: 7, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB9EBBF
_errno.LIBCMT ref: 0000026C9CB9EBC7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 173280ab0a16f06b6be0f486b7fc90be9e63d45bf980aa7259864e1372d933b7
Instruction ID: 7dcb6e82f0d047ff7de61784c907f91f54209dae86a749e409d58b55bee60cfd
Opcode Fuzzy Hash: 173280ab0a16f06b6be0f486b7fc90be9e63d45bf980aa7259864e1372d933b7
Instruction Fuzzy Hash: 6A21FF32216680C5F7567B68D85E3BD3A716781BF9F390304AEF4073C2DA7A84408320

Function 0000026C9CBA52A0 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA52B9
FlushFileBuffers.KERNEL32 ref: 0000026C9CBA531C
GetLastError.KERNEL32 ref: 0000026C9CBA5326
__doserrno.LIBCMT ref: 0000026C9CBA5336
_errno.LIBCMT ref: 0000026C9CBA533D

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: b93863f42654a4b52d6dd73c40ccdba5987062f1c3bd463329d4bbee9e2aa4a0
Instruction ID: ecc231bc13fafb0a9228997ce2eec623fa43c374c19710d6015b660075453b39
Opcode Fuzzy Hash: b93863f42654a4b52d6dd73c40ccdba5987062f1c3bd463329d4bbee9e2aa4a0
Instruction Fuzzy Hash: AE21A131602A44C6F7157FA5D59D37E36F0AB80790F390128EAD6072D6DBBA89488314

Function 0000026C9CB8C070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0000026C9CB8C09F
GetWindowTextW.USER32 ref: 0000026C9CB8C0BC
lstrlenW.KERNEL32 ref: 0000026C9CB8C0F6
GetLocalTime.KERNEL32 ref: 0000026C9CB8C105
wsprintfW.USER32 ref: 0000026C9CB8C155

Part of subcall function 0000026C9CB8BFB0: WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BFC7
Part of subcall function 0000026C9CB8BFB0: CreateFileW.KERNEL32 ref: 0000026C9CB8BFF9
Part of subcall function 0000026C9CB8BFB0: SetFilePointer.KERNEL32 ref: 0000026C9CB8C018
Part of subcall function 0000026C9CB8BFB0: lstrlenW.KERNEL32 ref: 0000026C9CB8C021
Part of subcall function 0000026C9CB8BFB0: WriteFile.KERNEL32 ref: 0000026C9CB8C03F
Part of subcall function 0000026C9CB8BFB0: CloseHandle.KERNEL32 ref: 0000026C9CB8C048
Part of subcall function 0000026C9CB8BFB0: ReleaseMutex.KERNEL32 ref: 0000026C9CB8C055

Strings

[, xrefs: 0000026C9CB8C14E

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: File$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
String ID: [
API String ID: 3163932117-4056885943
Opcode ID: 73e49f8ca6e268b064f541a2adff590462e5e9fe521d7392cec81c559873f1d1
Instruction ID: c6aa2c0966a8c049bf2c9046e7754d6597a031c618c9190df8327b5d014ac952
Opcode Fuzzy Hash: 73e49f8ca6e268b064f541a2adff590462e5e9fe521d7392cec81c559873f1d1
Instruction Fuzzy Hash: BB31613121AA40C2F754EF92F89977AB7B1F794744FA04016E9CD42AA4EF3EC558CB50

Function 0000026C9CB9E958 Relevance: 10.6, APIs: 7, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0000026C9CB9E97F

Part of subcall function 0000026C9CB97DEC: _set_error_mode.LIBCMT ref: 0000026C9CB97DF5
Part of subcall function 0000026C9CB97DEC: _set_error_mode.LIBCMT ref: 0000026C9CB97E04

Part of subcall function 0000026C9CB97B8C: _set_error_mode.LIBCMT ref: 0000026C9CB97BD1
Part of subcall function 0000026C9CB97B8C: _set_error_mode.LIBCMT ref: 0000026C9CB97BE2
Part of subcall function 0000026C9CB97B8C: GetModuleFileNameW.KERNEL32 ref: 0000026C9CB97C44

Part of subcall function 0000026C9CB9794C: malloc.LIBCMT ref: 0000026C9CB97977
Part of subcall function 0000026C9CB9794C: Sleep.KERNEL32 ref: 0000026C9CB9798A

_errno.LIBCMT ref: 0000026C9CB9E9C1
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000026C9CB9E9EB
free.LIBCMT ref: 0000026C9CB9E9F8
_errno.LIBCMT ref: 0000026C9CB9E9FD
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB9EA20

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountFileInitializeLeaveModuleNameSleepSpinfreemalloc
String ID:
API String ID: 3619412461-0
Opcode ID: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction ID: df246ff8c6376f34dac7d0bb614137ce8a4dadaf4fa6554d3ba4a5508a72cdeb
Opcode Fuzzy Hash: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction Fuzzy Hash: FC214731613680C2F7A0BB51E81C37A72B0FB867D8F745424A5CA576D2DF7AC8408711

Function 0000026C9CBA5E90 Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CBA5EA9
_errno.LIBCMT ref: 0000026C9CBA5EB1
_close_nolock.LIBCMT ref: 0000026C9CBA5F08

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 39692bd83cbc8bad7885e4b5d4687ea0fb49e434dd73b264a51106f0543e9273
Instruction ID: 994151c80b0859d0b7fb0c4c191052b0ee701cb268c613f9e56909b77ad24bb1
Opcode Fuzzy Hash: 39692bd83cbc8bad7885e4b5d4687ea0fb49e434dd73b264a51106f0543e9273
Instruction Fuzzy Hash: 66110332606A84C6FB553F64D89E37D3AB0A7807E0F354624E6E5072C3EABBC944C310

Function 0000026C9CB98A58 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB98A7C
_errno.LIBCMT ref: 0000026C9CB98A95
write_char.LIBCMT ref: 0000026C9CB98AAA
_errno.LIBCMT ref: 0000026C9CB98AB7
write_char.LIBCMT ref: 0000026C9CB98AC9
_errno.LIBCMT ref: 0000026C9CB98AD2
_errno.LIBCMT ref: 0000026C9CB98ADC

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction ID: 325478164cbc3698b7141dfb78b72678ed72236fb3d73e84049bdea5d34ecf24
Opcode Fuzzy Hash: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction Fuzzy Hash: EC115B32006B80C6E7617B62D40937DB6B0F395BD8F285011EBD407797EB3BC9518741

Function 0000026C9CB9FC64 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB9FC88
_errno.LIBCMT ref: 0000026C9CB9FCA1
write_char.LIBCMT ref: 0000026C9CB9FCB7
_errno.LIBCMT ref: 0000026C9CB9FCC5
write_char.LIBCMT ref: 0000026C9CB9FCDA
_errno.LIBCMT ref: 0000026C9CB9FCE3
_errno.LIBCMT ref: 0000026C9CB9FCED

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction ID: 120dbbb54fd68ed29ee0ec01cab7f648261cf291df6b9bbbcb9b910a5c01dd98
Opcode Fuzzy Hash: ea6d6c994a736733083169bee3cb065916d4f19d50813b09805ee92671e3cf58
Instruction Fuzzy Hash: 07117372501A80C6E7607BA2E40A37D77B0F395BE8F298015EF8403782EB3ADA81C751

Function 00007FF7F740AFCC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7F740AFFD
GetLastError.KERNEL32 ref: 00007FF7F740B009
CloseHandle.KERNEL32 ref: 00007FF7F740B021
CreateFileW.KERNEL32 ref: 00007FF7F740B04C
WriteConsoleW.KERNEL32 ref: 00007FF7F740B06B

Strings

CONOUT$, xrefs: 00007FF7F740B02D

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 6c706e776ac81385c870dcad09bcf9c717d9a6faa38eacb18e293ef4a9f07b38
Instruction ID: e44b48cc4cde0c475eda53abd962454d453952fcfd77df9a1fe12381171886fe
Opcode Fuzzy Hash: 6c706e776ac81385c870dcad09bcf9c717d9a6faa38eacb18e293ef4a9f07b38
Instruction Fuzzy Hash: 5511D625B18B4186E750AB02E844735E2A0FB88FF5F904234D92E837D4CF7CD446C794

Function 0000026C9CB84E80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026C9CB84EAB
GetCommandLineW.KERNEL32 ref: 0000026C9CB84EB1
GetStartupInfoW.KERNEL32 ref: 0000026C9CB84EBF
CreateProcessW.KERNEL32 ref: 0000026C9CB84F02
ExitProcess.KERNEL32 ref: 0000026C9CB84F0B

Strings

, xrefs: 0000026C9CB84EF6

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: 2d2fce262e285fa9fa2810391d16c93d7bb5af68b546423bde804a28fab8f9c8
Instruction ID: f9f04b5e14bfae8ddb3bb2ac3e39fb6051fde91a6e73a03a5abcf938c88afff6
Opcode Fuzzy Hash: 2d2fce262e285fa9fa2810391d16c93d7bb5af68b546423bde804a28fab8f9c8
Instruction Fuzzy Hash: 7F011A32615B85C7DB609B24F85876BB7F4F784780FA00125E6CA43A68DF3EC1498B00

Function 0000026C9CB8BFB0 Relevance: 10.5, APIs: 7, Instructions: 38filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BFC7
CreateFileW.KERNEL32 ref: 0000026C9CB8BFF9
SetFilePointer.KERNEL32 ref: 0000026C9CB8C018
lstrlenW.KERNEL32 ref: 0000026C9CB8C021
WriteFile.KERNEL32 ref: 0000026C9CB8C03F
CloseHandle.KERNEL32 ref: 0000026C9CB8C048
ReleaseMutex.KERNEL32 ref: 0000026C9CB8C055

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: e6c73dd4b36f160f1a62fbf4a0c0e9ac1c0c35662008cd925dc09f0461ab862e
Instruction ID: 27864e326862e407991bbcc65f0c940748e943e6c89aaded279c951d330365ca
Opcode Fuzzy Hash: e6c73dd4b36f160f1a62fbf4a0c0e9ac1c0c35662008cd925dc09f0461ab862e
Instruction Fuzzy Hash: B1111B71215A84C7E750EB52F81CB7A77B0F788B98FA44110EADA43B64CF7EC5498B00

Function 0000026C9CB5AB89 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB5ABA8

Part of subcall function 0000026C9CB5BD85: _getptd.LIBCMT ref: 0000026C9CB5BD89

_getptd.LIBCMT ref: 0000026C9CB5ABBA
_getptd.LIBCMT ref: 0000026C9CB5ABC8

Strings

RCC, xrefs: 0000026C9CB5AB90
csm, xrefs: 0000026C9CB5ABA0
MOC, xrefs: 0000026C9CB5AB98

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction ID: 7b46387339eb32adb9bc9a9264f8085ce22b6e95d9b9c81d434cd0cec9505564
Opcode Fuzzy Hash: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction Fuzzy Hash: FCF0ED38852149CFF75977A4C50D3B432F1FF18306F6691E994849A2E3D7FEC9808A92

Function 0000026C9CB9B0B8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB9B0D7

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

Part of subcall function 0000026C9CB9C2B4: _getptd.LIBCMT ref: 0000026C9CB9C2B8

_getptd.LIBCMT ref: 0000026C9CB9B0E9
_getptd.LIBCMT ref: 0000026C9CB9B0F7

Strings

MOC, xrefs: 0000026C9CB9B0C7
RCC, xrefs: 0000026C9CB9B0BF
csm, xrefs: 0000026C9CB9B0CF

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$_amsg_exit
String ID: MOC$RCC$csm
API String ID: 2610988583-2671469338
Opcode ID: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction ID: 624a1fc0c27355cb606c157d1c2ca48eb6bbd6affd7a79d1bcdf87ab6803eac2
Opcode Fuzzy Hash: e00eff0fe5e15c3e8c090d11fcbd1bf996e4955e1c4277de16df4e8acf759e70
Instruction Fuzzy Hash: A9F01236522214C6EF653B64C05E3FC35B4F79870DFE6D56582D4423C2D7FE48808A52

Function 0000026C9CB93110 Relevance: 10.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026C9CB9313E
EnterCriticalSection.KERNEL32 ref: 0000026C9CB93162
SetLastError.KERNEL32 ref: 0000026C9CB93175
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB9317F

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 647e02dd2c1bdac2cb0593e1bcada1d5777c8686bc1b852d6813ed41c29527b2
Instruction ID: c04cde14f7ce488b0a53c1b9a60e375d1a75cfc539acd7e2e506f326c2e33fe6
Opcode Fuzzy Hash: 647e02dd2c1bdac2cb0593e1bcada1d5777c8686bc1b852d6813ed41c29527b2
Instruction Fuzzy Hash: 7F417D36201B40CBE754BB21E45CABA73B5F74DB98F645225DE8A83791DF3AC845CB01

Function 00007FF7F73805B0 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825D0
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825E7
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F73825FE
Part of subcall function 00007FF7F7382530: GetProcAddress.KERNEL32 ref: 00007FF7F7382615
Part of subcall function 00007FF7F7382530: GetCurrentProcess.KERNEL32 ref: 00007FF7F7382630
Part of subcall function 00007FF7F7382530: OpenProcessToken.ADVAPI32 ref: 00007FF7F738265C
Part of subcall function 00007FF7F7382530: GetTokenInformation.ADVAPI32 ref: 00007FF7F7382688
Part of subcall function 00007FF7F7382530: GetTokenInformation.ADVAPI32 ref: 00007FF7F73826BC
Part of subcall function 00007FF7F7382530: GetLengthSid.ADVAPI32 ref: 00007FF7F73826CC
Part of subcall function 00007FF7F7382530: CopySid.ADVAPI32 ref: 00007FF7F73826EA

LocalFree.KERNEL32 ref: 00007FF7F73807E0

Strings

.pif, xrefs: 00007FF7F7380937
.com, xrefs: 00007FF7F73808D3
.bat, xrefs: 00007FF7F7380907
.cmd, xrefs: 00007FF7F7380967
.exe, xrefs: 00007FF7F738089F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc$Token$InformationProcess$CopyCurrentFreeLengthLocalOpen
String ID: .bat$.cmd$.com$.exe$.pif
API String ID: 3463338316-2292669753
Opcode ID: a4ee9e539fb5e06da0ce4f5bc97e58f13e50c77d53f1c576658f6c62b7bba354
Instruction ID: 3f76d200a619958aff2e21426044650ea8d4fb20dcb71214b5ab09230832f643
Opcode Fuzzy Hash: a4ee9e539fb5e06da0ce4f5bc97e58f13e50c77d53f1c576658f6c62b7bba354
Instruction Fuzzy Hash: BDF16F36A097819BF710AB28D8412BDB7A0FF80758F944138DA6D476E8DF7CD546CB90

Function 0000026C9CB59771 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB59790

Part of subcall function 0000026C9CB593AD: _getptd.LIBCMT ref: 0000026C9CB593B7

Part of subcall function 0000026C9CB5741D: malloc.LIBCMT ref: 0000026C9CB57448

free.LIBCMT ref: 0000026C9CB5981B

Part of subcall function 0000026C9CB54169: _errno.LIBCMT ref: 0000026C9CB54189

_lock.LIBCMT ref: 0000026C9CB5984B
free.LIBCMT ref: 0000026C9CB598EE
free.LIBCMT ref: 0000026C9CB5991A
_errno.LIBCMT ref: 0000026C9CB5991F

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno_getptd$_lockmalloc
String ID:
API String ID: 1369581901-0
Opcode ID: 677f3550d650548e460b7bf04926cfe641f17280e9f94b78788199c02c4676c8
Instruction ID: dc019a88d9f45a8745499d57227c677760fe06cc5073efc3b606e98904d30df3
Opcode Fuzzy Hash: 677f3550d650548e460b7bf04926cfe641f17280e9f94b78788199c02c4676c8
Instruction Fuzzy Hash: 0F518230A1AA84CFEB64AF64D4857B977F1EB95310F204169D89EC7292DA35D8438782

Function 0000026C9CB4E271 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026C9CB4E2A6
malloc.LIBCMT ref: 0000026C9CB4E312

Part of subcall function 0000026C9CB541A9: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB541D9
Part of subcall function 0000026C9CB541A9: _callnewh.LIBCMT ref: 0000026C9CB54217
Part of subcall function 0000026C9CB541A9: _errno.LIBCMT ref: 0000026C9CB54222
Part of subcall function 0000026C9CB541A9: _errno.LIBCMT ref: 0000026C9CB5422D

free.LIBCMT ref: 0000026C9CB4E33B

Part of subcall function 0000026C9CB54169: _errno.LIBCMT ref: 0000026C9CB54189

Strings

d, xrefs: 0000026C9CB4E3B2
d, xrefs: 0000026C9CB4E3BC
d, xrefs: 0000026C9CB4E3E6

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$malloc$_callnewhfree
String ID: d$d$d
API String ID: 1789327305-1898527202
Opcode ID: d89cf67625e5f3d9be3ac12f6ba0e19bfac00179c11cbf98e92fe216d6527eaa
Instruction ID: 43d7b3f669b6cefbf1776542ee7b016215251b85e4ca5d1e04511e3a2f4e7921
Opcode Fuzzy Hash: d89cf67625e5f3d9be3ac12f6ba0e19bfac00179c11cbf98e92fe216d6527eaa
Instruction Fuzzy Hash: D851DAB0519A58CFEB91EF18D088B657BE4FB18740F6541FA984CCB26ADB75C844CF90

Function 00007FF7F7340350 Relevance: 9.1, APIs: 6, Instructions: 104threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F7340387
CloseHandle.KERNEL32 ref: 00007FF7F7340398
CreateEventW.KERNEL32 ref: 00007FF7F7340482
CreateThread.KERNEL32 ref: 00007FF7F73404C4
CloseHandle.KERNEL32 ref: 00007FF7F73404CD

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCreateHandleThread$CurrentEvent
String ID:
API String ID: 1633135894-0
Opcode ID: 9c8cad1299e0c9272d8f2c6ec9908b311088d7a55ff6301e464786220b0a3468
Instruction ID: 1fb566939cc77774c55ac4b8bc4994c360a2f3c13811a053a9d69601bf11d994
Opcode Fuzzy Hash: 9c8cad1299e0c9272d8f2c6ec9908b311088d7a55ff6301e464786220b0a3468
Instruction Fuzzy Hash: 7E517039B1869282EB24AF15E951678B761FF40B51F955239C57E037E0CF3DE442C7A0

Function 0000026C9CB97778 Relevance: 9.1, APIs: 6, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0000026C9CB977D4
DecodePointer.KERNEL32 ref: 0000026C9CB977F2
DecodePointer.KERNEL32 ref: 0000026C9CB97832
DecodePointer.KERNEL32 ref: 0000026C9CB9784C
DecodePointer.KERNEL32 ref: 0000026C9CB9785C
ExitProcess.KERNEL32 ref: 0000026C9CB978E8

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: DecodePointer$ExitProcess
String ID:
API String ID: 1284615037-0
Opcode ID: 95cc4c190d7943855aadbb998e58200c754987734139fa49f6c9bfbe4b09495d
Instruction ID: fba014d55234bff6db037d36cb8ba2181e6a8da65593399408c55d2d6b6babcf
Opcode Fuzzy Hash: 95cc4c190d7943855aadbb998e58200c754987734139fa49f6c9bfbe4b09495d
Instruction Fuzzy Hash: B8417832613A40C2FB44BB12E89833972F4F798B98F740425AAC913BA4EF3BC451C701

Function 0000026C9CB8E7A0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026C9CB8E7D5
malloc.LIBCMT ref: 0000026C9CB8E841

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

free.LIBCMT ref: 0000026C9CB8E86A

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

Strings

d, xrefs: 0000026C9CB8E8EB
d, xrefs: 0000026C9CB8E8E1
d, xrefs: 0000026C9CB8E914

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocFree_callnewhfree
String ID: d$d$d
API String ID: 4257515785-1898527202
Opcode ID: 5ac4ee45e769e9299644d6e5f03c679bef95057c7f94c81e09fa81b34d444265
Instruction ID: fbce33b3a7dd3b61d36c32673e68f09726e4cd1f2d96e2b747fdc2b3ce006d39
Opcode Fuzzy Hash: 5ac4ee45e769e9299644d6e5f03c679bef95057c7f94c81e09fa81b34d444265
Instruction Fuzzy Hash: 0E412672112B90C9E7909F21E4443AD3BF8F348F88F69813ADA8817798EF76C454CB60

Function 0000026C9CB8E4D0 Relevance: 9.1, APIs: 6, Instructions: 86networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0000026C9CB8E55F
free.LIBCMT ref: 0000026C9CB8E576

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

WSASetLastError.WS2_32 ref: 0000026C9CB8E581
freeaddrinfo.WS2_32 ref: 0000026C9CB8E5C8
htons.WS2_32 ref: 0000026C9CB8E5D5
WSASetLastError.WS2_32 ref: 0000026C9CB8E5E6

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$FreeHeap_errnofreefreeaddrinfogetaddrinfohtons
String ID:
API String ID: 443883550-0
Opcode ID: fda43265b886c102daf43b2b617a422d89d82c2805bd548c61f079e8a940deb0
Instruction ID: 50175a7ab7c3d6a5b88329f58359eef7a87a8542b6e2c1f6a5431d6645aecb95
Opcode Fuzzy Hash: fda43265b886c102daf43b2b617a422d89d82c2805bd548c61f079e8a940deb0
Instruction Fuzzy Hash: B9319276205B81C2EB60AF11E4883BE73B1F788784F644125DACD47B94EF39C944CB40

Function 0000026C9CB5E429 Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0000026C9CB5E450

Part of subcall function 0000026C9CB578BD: _set_error_mode.LIBCMT ref: 0000026C9CB578C6
Part of subcall function 0000026C9CB578BD: _set_error_mode.LIBCMT ref: 0000026C9CB578D5

Part of subcall function 0000026C9CB5765D: _set_error_mode.LIBCMT ref: 0000026C9CB576A2
Part of subcall function 0000026C9CB5765D: _set_error_mode.LIBCMT ref: 0000026C9CB576B3

Part of subcall function 0000026C9CB5741D: malloc.LIBCMT ref: 0000026C9CB57448

_errno.LIBCMT ref: 0000026C9CB5E492
_lock.LIBCMT ref: 0000026C9CB5E4A6
free.LIBCMT ref: 0000026C9CB5E4C9
_errno.LIBCMT ref: 0000026C9CB5E4CE

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _set_error_mode$_errno$_lockfreemalloc
String ID:
API String ID: 360200360-0
Opcode ID: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction ID: 9573c952e79388c26a9f67463b5ed6a1169f35d5f22ac8afc95920a0ea89f659
Opcode Fuzzy Hash: adf093be1493d26b0308fb18adbfc07a86a0bd316682e00d36ba23ed80a1460b
Instruction Fuzzy Hash: 0721903065A6D9CFF764BFA4D45D7BD72F0EB98350F604428A089C32D2DB7AD840A752

Function 0000026C9CB91710 Relevance: 9.1, APIs: 6, Instructions: 76threadnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026C9CB9171D

Part of subcall function 0000026C9CB91650: SwitchToThread.KERNEL32 ref: 0000026C9CB9169D

SetEvent.KERNEL32 ref: 0000026C9CB91757
CloseHandle.KERNEL32 ref: 0000026C9CB91785
WSACloseEvent.WS2_32 ref: 0000026C9CB917D4
shutdown.WS2_32 ref: 0000026C9CB917ED
closesocket.WS2_32 ref: 0000026C9CB917F7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseEventThread$CurrentHandleSwitchclosesocketshutdown
String ID:
API String ID: 3526870478-0
Opcode ID: 932c4ec2da38c0ac6b1f6ceccf3195afbf5e37ca85e201a0a25c999c6e004dca
Instruction ID: 1eb977e74ebd8494691182358037f40ccbffea9e4faef4d81f1623520b2b60c7
Opcode Fuzzy Hash: 932c4ec2da38c0ac6b1f6ceccf3195afbf5e37ca85e201a0a25c999c6e004dca
Instruction Fuzzy Hash: B3313E76602A41C2E750AF35D45823D33B1E788FA8F254221EEAA43BD8CF39C895C740

Function 0000026C9CB82080 Relevance: 9.1, APIs: 6, Instructions: 76synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 0000026C9CB8209F
ResetEvent.KERNEL32 ref: 0000026C9CB820AC
timeGetTime.WINMM ref: 0000026C9CB820B2
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8213F
ResetEvent.KERNEL32 ref: 0000026C9CB8215C
ResetEvent.KERNEL32 ref: 0000026C9CB82170

Part of subcall function 0000026C9CB93FEC: _errno.LIBCMT ref: 0000026C9CB94017
Part of subcall function 0000026C9CB93FEC: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB94022

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: EventReset$ObjectSingleTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2413556668-0
Opcode ID: 58d5c98b484be63242f2a745b5d15b4acce531cbd3b6e134beeab50c125b9f3c
Instruction ID: 4e3ad804f0708b9828c12fdf7477bfe81e14fda1ee29c29d0dd1272088560e5f
Opcode Fuzzy Hash: 58d5c98b484be63242f2a745b5d15b4acce531cbd3b6e134beeab50c125b9f3c
Instruction Fuzzy Hash: 44311736605A80C6DB50EF29E84836D77B0FB88F98F684121EE8E87765CF3AC445C311

Function 0000000140009C20 Relevance: 9.1, APIs: 6, Instructions: 76threadnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000140009C2D

Part of subcall function 0000000140009B60: SwitchToThread.KERNEL32 ref: 0000000140009BAD

SetEvent.KERNEL32 ref: 0000000140009C67
CloseHandle.KERNEL32 ref: 0000000140009C95
WSACloseEvent.WS2_32 ref: 0000000140009CE4
shutdown.WS2_32 ref: 0000000140009CFD
closesocket.WS2_32 ref: 0000000140009D07

Memory Dump Source

Source File: 00000000.00000002.2235982556.0000000140001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2235967278.0000000140000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236001126.000000014001F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236014503.0000000140028000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2236026809.000000014002F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_quHmbPnLFV.jbxd

Similarity

API ID: CloseEventThread$CurrentHandleSwitchclosesocketshutdown
String ID:
API String ID: 3526870478-0
Opcode ID: 341751bcb2a9e39f1c64cda1b8c336d908026eaed392cb499eb77cff94f1bf09
Instruction ID: ee6b78ee20e75a199ac0f8d51655120480989cb093c4aabf2c1e140e6d99fe91
Opcode Fuzzy Hash: 341751bcb2a9e39f1c64cda1b8c336d908026eaed392cb499eb77cff94f1bf09
Instruction Fuzzy Hash: 51310BB6600A5082E762DF36E4507AD23A1E78CFE4F151221EF2A477E9CF34C885C740

Function 0000026C9CB90D80 Relevance: 9.1, APIs: 6, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 0000026C9CB90DBE
WSAGetLastError.WS2_32 ref: 0000026C9CB90DC9

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 69ada47511ffae6a1b2352c791967df792aaf6681adecbb36eed45c614523dad
Instruction ID: 1ff8fc4c263abd575abc074a924706e0161ea17e8477869276eeff6f38470a15
Opcode Fuzzy Hash: 69ada47511ffae6a1b2352c791967df792aaf6681adecbb36eed45c614523dad
Instruction Fuzzy Hash: A9217CF2A01600C7F768AF75E49D37936F0E718B28FA40118CA99866D4CB7AC8D6CB44

Function 0000026C9CB9AB64 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0000026C9CB9AB7D
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB9ABD4
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB9AC0F
free.LIBCMT ref: 0000026C9CB9AC1C
FreeEnvironmentStringsW.KERNEL32 ref: 0000026C9CB9AC27
FreeEnvironmentStringsW.KERNEL32 ref: 0000026C9CB9AC35

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 84a5488434b8dac386b9b2b17d419ada68844002088eb87c8cee20c73c3e860a
Instruction ID: 352cef112e1a38372de33ab777380b4ad4c511ccfa5f197b323044415088ec65
Opcode Fuzzy Hash: 84a5488434b8dac386b9b2b17d419ada68844002088eb87c8cee20c73c3e860a
Instruction Fuzzy Hash: 09212C3660AB84C6EB64AF21E85827A77F5F789FC4F584014EACA0BB54EF39C551C704

Function 0000026C9CB8D990 Relevance: 9.1, APIs: 6, Instructions: 67synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000026C9CB8D9DD
SetLastError.KERNEL32 ref: 0000026C9CB8D9EC
DeleteCriticalSection.KERNEL32 ref: 0000026C9CB8DA16
DeleteCriticalSection.KERNEL32 ref: 0000026C9CB8DA21
CloseHandle.KERNEL32 ref: 0000026C9CB8DA36
free.LIBCMT ref: 0000026C9CB8DA5E

Part of subcall function 0000026C9CB91710: GetCurrentThreadId.KERNEL32 ref: 0000026C9CB9171D

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$CloseCurrentErrorHandleLastObjectSingleThreadWaitfree
String ID:
API String ID: 3850363221-0
Opcode ID: 62b29d53877b0602228696265d4c3e16b8dba605d7c938668be82d41532a3494
Instruction ID: 6f9d9c2946dfac334f2846196d633b50ea3fdbbf9a84cdf4afe39504d6887d7d
Opcode Fuzzy Hash: 62b29d53877b0602228696265d4c3e16b8dba605d7c938668be82d41532a3494
Instruction Fuzzy Hash: A8314F32606B81E7EB04AF64E8982B973B4FB85760FA40625D7ED437A1DF7AC465C300

Function 0000026C9CB96F24 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000026C9CB96F2E
FlsGetValue.KERNEL32 ref: 0000026C9CB96F3C
SetLastError.KERNEL32 ref: 0000026C9CB96F94

Part of subcall function 0000026C9CB979CC: Sleep.KERNEL32 ref: 0000026C9CB97A11

FlsSetValue.KERNEL32 ref: 0000026C9CB96F68
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB96F7C
free.LIBCMT ref: 0000026C9CB96F8B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastValue$CurrentSleepThreadfree
String ID:
API String ID: 4106700288-0
Opcode ID: 57c3c7dc90d119b9a0a8397eb99df9ec0dc69960eb39fbd81eb1c175a554dc43
Instruction ID: c19ccc7fae677c1eac17c7acc688094af7b34efab6e92648387aa82885f61284
Opcode Fuzzy Hash: 57c3c7dc90d119b9a0a8397eb99df9ec0dc69960eb39fbd81eb1c175a554dc43
Instruction Fuzzy Hash: 84012C35613B41C7EF58BB65E46C73872F1BB48B94FA88224D9E6023D2EE3AD4459610

Function 0000026C9CB5B431 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB5B462
_getptd.LIBCMT ref: 0000026C9CB5B480
_CallSETranslator.LIBCMT ref: 0000026C9CB5B4C8

Part of subcall function 0000026C9CB5564D: _getptd.LIBCMT ref: 0000026C9CB55674

Strings

RCC, xrefs: 0000026C9CB5B49E
MOC, xrefs: 0000026C9CB5B496

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC$RCC
API String ID: 3569367362-2084237596
Opcode ID: d98c30be7d4ee96f75737c1608306c21bbb9889ae77cccfa80ef6e71d2261ecd
Instruction ID: 6e1dbfebe50085e58a6e7a651d2022109fd5d327fda2509b7abd994b3d0268d6
Opcode Fuzzy Hash: d98c30be7d4ee96f75737c1608306c21bbb9889ae77cccfa80ef6e71d2261ecd
Instruction Fuzzy Hash: AE71BE30109B89CEE724BF54C0197FAB3F1FB80305F60066ED08587596EBB5E555C782

Function 0000026C9CB4E421 Relevance: 9.0, APIs: 7, Instructions: 217COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB4E490
free.LIBCMT ref: 0000026C9CB4E4E0
free.LIBCMT ref: 0000026C9CB4E530
free.LIBCMT ref: 0000026C9CB4E580
free.LIBCMT ref: 0000026C9CB4E5CC
free.LIBCMT ref: 0000026C9CB4E5AB

Part of subcall function 0000026C9CB54169: _errno.LIBCMT ref: 0000026C9CB54189

free.LIBCMT ref: 0000026C9CB4E60A

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 782557a0797fb3a6741017a31a7857cbc3ea5258c35366068c63795a3bce058c
Instruction ID: fb47e338bd40752784372ec943d179e8c99e75a3fa6edda12454b10378059ec1
Opcode Fuzzy Hash: 782557a0797fb3a6741017a31a7857cbc3ea5258c35366068c63795a3bce058c
Instruction Fuzzy Hash: 0D71C071209A49CFEBA0EFA9D088B79B7E1FB68344F24455AD04DC7251DB36E882CB51

Function 0000026C9CB627CD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB5F259: _errno.LIBCMT ref: 0000026C9CB5F262
Part of subcall function 0000026C9CB5F259: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB5F26D

_errno.LIBCMT ref: 0000026C9CB627F8
_errno.LIBCMT ref: 0000026C9CB62816
_isatty.LIBCMT ref: 0000026C9CB62877
_getbuf.LIBCMT ref: 0000026C9CB62883

Strings

, xrefs: 0000026C9CB62803

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-3916222277
Opcode ID: 83c6cd6e49ca538d7d131c925b60aeaacb1595a3ec71be27b79afc4806d71a20
Instruction ID: 49fe4a66955e3e964b746bbd3273b9172ad97b7757378870f40c36c687756a6c
Opcode Fuzzy Hash: 83c6cd6e49ca538d7d131c925b60aeaacb1595a3ec71be27b79afc4806d71a20
Instruction Fuzzy Hash: CA519030115B09CEFB58BF58C98A7B977E0EF84360F344259D896CB2D7D676CC518682

Function 0000026C9CB9B960 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB9B991

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

_getptd.LIBCMT ref: 0000026C9CB9B9AF
_CallSETranslator.LIBCMT ref: 0000026C9CB9B9F7

Part of subcall function 0000026C9CB95B7C: _getptd.LIBCMT ref: 0000026C9CB95BA3

Strings

RCC, xrefs: 0000026C9CB9B9CD
MOC, xrefs: 0000026C9CB9B9C5

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$CallTranslator_amsg_exit
String ID: MOC$RCC
API String ID: 1374396951-2084237596
Opcode ID: 471e037796de8d08be6d3bded12a618713ec4ce7d55a937e88732922ae4a25f6
Instruction ID: 8a046d6ebdff373bf6f39c350a03a85da7a0aca2709381bfcb1529ad27df91c1
Opcode Fuzzy Hash: 471e037796de8d08be6d3bded12a618713ec4ce7d55a937e88732922ae4a25f6
Instruction Fuzzy Hash: C161BD72205A80C6EF20EB45D0A87BDB3B0FB85B8CF64451ADB8A476D9DF79C155C700

Function 0000026C9CB8E950 Relevance: 8.9, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB8E9BF
free.LIBCMT ref: 0000026C9CB8EA0F
free.LIBCMT ref: 0000026C9CB8EA5F
free.LIBCMT ref: 0000026C9CB8EAAF
free.LIBCMT ref: 0000026C9CB8EADA
free.LIBCMT ref: 0000026C9CB8EAFB
free.LIBCMT ref: 0000026C9CB8EB39

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ccd28d9b9f54d451765389d19c9094d133687f5c0172ac4b6804d316aded8f02
Instruction ID: fca03c67da7c338a4418f8b574bc1adf2d1636cbcee27d3b826a88f8764a475b
Opcode Fuzzy Hash: ccd28d9b9f54d451765389d19c9094d133687f5c0172ac4b6804d316aded8f02
Instruction Fuzzy Hash: B451D13A202B84C5EBA4AF59E59437873B5F719F84F689051DB8E17351CF7AD8A1C310

Function 0000026C9CBA2CFC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB9F788: _errno.LIBCMT ref: 0000026C9CB9F791
Part of subcall function 0000026C9CB9F788: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9F79C

_errno.LIBCMT ref: 0000026C9CBA2D27
_errno.LIBCMT ref: 0000026C9CBA2D45
_isatty.LIBCMT ref: 0000026C9CBA2DA6
_getbuf.LIBCMT ref: 0000026C9CBA2DB2

Strings

, xrefs: 0000026C9CBA2D32

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-3916222277
Opcode ID: 7b09e1906ab3bdf61c4e12b63eeb87704bb182e1eae830b71b365cf9be8a9ed8
Instruction ID: ac6ff20ff3884c74be4e123b99afe136dac818fd3723e7cccdb5624a7da4705f
Opcode Fuzzy Hash: 7b09e1906ab3bdf61c4e12b63eeb87704bb182e1eae830b71b365cf9be8a9ed8
Instruction Fuzzy Hash: FF41D272602A10C5EB68BF29D58937D37F0E754BA4F344214DAE9073E7DA3AC891C782

Function 0000026C9CB62209 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB6227A
_errno.LIBCMT ref: 0000026C9CB62288
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB62294
_errno.LIBCMT ref: 0000026C9CB622BA

Strings

P, xrefs: 0000026C9CB622CA

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: P
API String ID: 2819658684-3110715001
Opcode ID: 660092e53c6da9f128799a28dcf114ab0748dcf5e7a35d96d3771f801f2aadb1
Instruction ID: 89f05a822ca6ffb7d3dfe278d949240b5e6b633dcb714aeff1fd08e20454cef8
Opcode Fuzzy Hash: 660092e53c6da9f128799a28dcf114ab0748dcf5e7a35d96d3771f801f2aadb1
Instruction Fuzzy Hash: 8331B33061AF4ACAF7A4BA6CD54933D76E0FB58320F740659A8D5C32D3D922CC414683

Function 0000026C9CB92EA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB92EE1

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

malloc.LIBCMT ref: 0000026C9CB92F42
free.LIBCMT ref: 0000026C9CB92F5D
SetWaitableTimer.KERNEL32 ref: 0000026C9CB92FFC

Strings

bad allocation, xrefs: 0000026C9CB92F77

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$FreeHeapTimerWaitable_errnomalloc
String ID: bad allocation
API String ID: 996728788-2104205924
Opcode ID: 3164918fe516b5a880c1d5ebc565a3863ef63c33cab6ecf522e00527834a8d48
Instruction ID: 356fd42165daad703288465426987cab01f364a7e66f5a9a6387083661181182
Opcode Fuzzy Hash: 3164918fe516b5a880c1d5ebc565a3863ef63c33cab6ecf522e00527834a8d48
Instruction Fuzzy Hash: 32413836612B84C9EB64AF20E9586BC33B4F748B8CFA84125EE8D0BB59DF75C451C314

Function 0000026C9CBA2738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA27A9
_errno.LIBCMT ref: 0000026C9CBA27B7
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA27C3
_errno.LIBCMT ref: 0000026C9CBA27E9

Strings

P, xrefs: 0000026C9CBA27F8

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: P
API String ID: 2819658684-3110715001
Opcode ID: fe5746ab5c6c9aa6f367b9778bf255be9a480a7c147ea7114c03037db45542f8
Instruction ID: a706fc975fa35ca40613c0795290582a84bc29da3f91bc93ffc70254d67fab91
Opcode Fuzzy Hash: fe5746ab5c6c9aa6f367b9778bf255be9a480a7c147ea7114c03037db45542f8
Instruction Fuzzy Hash: 1721913120B780C1FB596A55D70837DB2F4AB65BE0F284620AEE917BC7E67A8D408702

Function 00007FF7F7342940 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7F7342961
SetWindowsHookExW.USER32 ref: 00007FF7F7342978
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F7341B41), ref: 00007FF7F734298E

Part of subcall function 00007FF7F7319F50: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F7319F89
Part of subcall function 00007FF7F7319F50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F7319FE7
Part of subcall function 00007FF7F7319F50: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7F731A03E

Strings

default, xrefs: 00007FF7F73429CC
Qt: INTERNAL ERROR: failed to install GetMessage hook: %d, %s, xrefs: 00007FF7F73429DB

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast$CurrentFormatFreeHookLocalMessageThreadWindows
String ID: Qt: INTERNAL ERROR: failed to install GetMessage hook: %d, %s$default
API String ID: 2698278626-1575284884
Opcode ID: 029406882346d2b61cdb6a24368e8540b4e24a0623796e7308a3d706647215fa
Instruction ID: 0d24328d96702e354b0055263f952214f184ef0345b14c884221f76043cd0d8d
Opcode Fuzzy Hash: 029406882346d2b61cdb6a24368e8540b4e24a0623796e7308a3d706647215fa
Instruction Fuzzy Hash: D631B43AA0874293EB10EF25D841269B360FF85774F944235D96D836E5DF3DD446C790

Function 00007FF7F7382820 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7F73828CE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00007FF7F73828EA

Strings

Netapi32, xrefs: 00007FF7F73828B0
NetApiBufferFree, xrefs: 00007FF7F73828E0
NetShareEnum, xrefs: 00007FF7F73828C4

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressProc
String ID: NetApiBufferFree$NetShareEnum$Netapi32
API String ID: 190572456-1465082781
Opcode ID: 9bb911bc9721b275ddb24e47c19060044229378845a87b2b70f2b0579deb2b24
Instruction ID: 41007ee7864196744f8ae8c82f70313360255499cbf09801453509ec56fc304c
Opcode Fuzzy Hash: 9bb911bc9721b275ddb24e47c19060044229378845a87b2b70f2b0579deb2b24
Instruction Fuzzy Hash: D3315E29E0CB8666FB65BB2CA814375E2A0BF41364FD80338D57D462E1DF7DA452C2A0

Function 0000026C9CB9B4D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0000026C9CB9B52C
_getptd.LIBCMT ref: 0000026C9CB9B4E1

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

_getptd.LIBCMT ref: 0000026C9CB9B5A3
_getptd.LIBCMT ref: 0000026C9CB9B5AF

Strings

csm, xrefs: 0000026C9CB9B563

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit
String ID: csm
API String ID: 4155239085-1018135373
Opcode ID: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction ID: 4247dfab92c13dfb6b70fb46f636642dd0d12ab3a732333d284b1c7516c07161
Opcode Fuzzy Hash: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction Fuzzy Hash: 9E310936205640C6EB70AF11E06877EB370F7897A9F654226DEDA07BD5DB3AD846CB00

Function 00007FF7F73FDEF0 Relevance: 7.7, APIs: 5, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73FDF32
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7F73FDEAF,?,?,?,00007FF7F7405656), ref: 00007FF7F73FDFF0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7F73FDEAF,?,?,?,00007FF7F7405656), ref: 00007FF7F73FE07A

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 4ef2423508507acd93b22b965fa9d9501701fcc0e2be0087648db0337b251196
Instruction ID: 6f04a50aeeee94d207eb52c90a1a95c2f7b2f21b4173d48b78415940ee1f056a
Opcode Fuzzy Hash: 4ef2423508507acd93b22b965fa9d9501701fcc0e2be0087648db0337b251196
Instruction Fuzzy Hash: 3481A22AE1869266FF18BF25C4506FCA661AF84BC4FC40139DA3E537D5DE38A447C3A0

Function 0000026C9CB99CA0 Relevance: 7.6, APIs: 5, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB99CBF

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

Part of subcall function 0000026C9CB998DC: _getptd.LIBCMT ref: 0000026C9CB998E6
Part of subcall function 0000026C9CB998DC: _amsg_exit.LIBCMT ref: 0000026C9CB99983

Part of subcall function 0000026C9CB99998: GetOEMCP.KERNEL32 ref: 0000026C9CB999C2

Part of subcall function 0000026C9CB9794C: malloc.LIBCMT ref: 0000026C9CB97977
Part of subcall function 0000026C9CB9794C: Sleep.KERNEL32 ref: 0000026C9CB9798A

free.LIBCMT ref: 0000026C9CB99D4A

Part of subcall function 0000026C9CB94698: HeapFree.KERNEL32 ref: 0000026C9CB946AE
Part of subcall function 0000026C9CB94698: _errno.LIBCMT ref: 0000026C9CB946B8

free.LIBCMT ref: 0000026C9CB99E1D
free.LIBCMT ref: 0000026C9CB99E49
_errno.LIBCMT ref: 0000026C9CB99E4E

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleepmalloc
String ID:
API String ID: 3974019375-0
Opcode ID: 9d71ec3d00ad548f00efd10b57eac8e9f1b01416729eb742b15b8c3336629385
Instruction ID: 8c9323134197aa317954eabecaba6c3a3738a0b73f822b7eaf874d4c9d87849f
Opcode Fuzzy Hash: 9d71ec3d00ad548f00efd10b57eac8e9f1b01416729eb742b15b8c3336629385
Instruction Fuzzy Hash: 0151E332A02A80C6E7A4BB25E44837DB7B5F795B88F384116DADE473E6CB7AC441C710

Function 0000026C9CB8B1B0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026C9CB8B1DF
SetLastError.KERNEL32 ref: 0000026C9CB8B272

Strings

Main, xrefs: 0000026C9CB8B1C2

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLast
String ID: Main
API String ID: 1452528299-521822810
Opcode ID: 1c761e1382f4f4e8e21a5771b2742fd4ded768315d8239df106d7014fd1f2ec6
Instruction ID: 511ffe274263ad0addaeadc806f31280753588d9858850b374439b0235c5f5d1
Opcode Fuzzy Hash: 1c761e1382f4f4e8e21a5771b2742fd4ded768315d8239df106d7014fd1f2ec6
Instruction Fuzzy Hash: CB417932A02A44CBEB14EF25E89837E77B0F748B88F644065DBC947799DB39D852CB40

Function 0000026C9CB8AB80 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 0000026C9CB8ABBC
realloc.LIBCMT ref: 0000026C9CB8AC23

Part of subcall function 0000026C9CB952FC: malloc.LIBCMT ref: 0000026C9CB95319

IsBadReadPtr.KERNEL32 ref: 0000026C9CB8ACA9
SetLastError.KERNEL32 ref: 0000026C9CB8ACCA
SetLastError.KERNEL32 ref: 0000026C9CB8ACE8

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastRead$mallocrealloc
String ID:
API String ID: 3638135368-0
Opcode ID: 75ed8e998ff67cc508f611bcc8a92760ada60573c1da8e9bb44137df954cd51e
Instruction ID: 176114623514f452784ab62c43888ce1bc50a5c28465bfbb0b4c3ccc25ae2fa3
Opcode Fuzzy Hash: 75ed8e998ff67cc508f611bcc8a92760ada60573c1da8e9bb44137df954cd51e
Instruction Fuzzy Hash: 88415B32206B84C7EB20AF16E89877AB7B0F748B94F584425DF8A07B65DF39E555CB00

Function 0000026C9CBA10A0 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000026C9CBA10FA
malloc.LIBCMT ref: 0000026C9CBA115E
MultiByteToWideChar.KERNEL32 ref: 0000026C9CBA11A6
GetStringTypeW.KERNEL32 ref: 0000026C9CBA11BD
free.LIBCMT ref: 0000026C9CBA11D1

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: f3b033eb96f0b46acd52094bac7bcbe4840888fbf3d9e53257aca99f9f803477
Instruction ID: c745fb480d0005fa471fa959188f4d3ec5b8c35e2b54e54865914266b4fa4ff4
Opcode Fuzzy Hash: f3b033eb96f0b46acd52094bac7bcbe4840888fbf3d9e53257aca99f9f803477
Instruction Fuzzy Hash: A3418232642780C6EB50AF26D8086B977F5FB48BA8F684611EEE947BD5DB36C401C710

Function 00007FF7F7343300 Relevance: 7.6, APIs: 5, Instructions: 98timewindowCOMMON

Download Yara Rule

APIs

GetQueueStatus.USER32 ref: 00007FF7F7343385
KillTimer.USER32 ref: 00007FF7F73433A8
PostMessageW.USER32 ref: 00007FF7F73433E8
SetTimer.USER32 ref: 00007FF7F7343412
_Init_thread_footer.LIBCMT ref: 00007FF7F734349F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Timer$Init_thread_footerKillMessagePostQueueStatus
String ID:
API String ID: 1136730382-0
Opcode ID: 2a1125463b9bebcfd2710457b2660daa4214678dcf78bf51705dfbb01ba5d737
Instruction ID: d2b2b0768b097d55959510fe21b75a323f4a8910d1329729da309d16b30018c6
Opcode Fuzzy Hash: 2a1125463b9bebcfd2710457b2660daa4214678dcf78bf51705dfbb01ba5d737
Instruction Fuzzy Hash: 3141B339A0869293EB55AF25E8417B9B3A0FF44B90F944039DE2D577D4DE3CE4838760

Function 0000026C9CB874D0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026C9CB87503

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

free.LIBCMT ref: 0000026C9CB8752B
CreateDIBSection.GDI32 ref: 0000026C9CB87597
free.LIBCMT ref: 0000026C9CB875B6

Part of subcall function 0000026C9CB87E20: GetObjectW.GDI32 ref: 0000026C9CB87E52

free.LIBCMT ref: 0000026C9CB875F6

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno$AllocCreateHeapObjectSection_callnewhmalloc
String ID:
API String ID: 2034203143-0
Opcode ID: d3222581a7554e5581b8cf39a13de11888295550bf7cb58ccf28f3286197a644
Instruction ID: 2314a4637dc850f23fdaae25ccf4c9c8eefc409cbd80c2ae751e690138d4e5b0
Opcode Fuzzy Hash: d3222581a7554e5581b8cf39a13de11888295550bf7cb58ccf28f3286197a644
Instruction Fuzzy Hash: 1231AB33216680C2EB25EF22D4543BAB6F4FB88B88F584465EFC967B95DF79C8118700

Function 0000026C9CB8E390 Relevance: 7.6, APIs: 5, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000026C9CB8E3D0
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB8E419
GetLastError.KERNEL32 ref: 0000026C9CB8E42A
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB8E453
WideCharToMultiByte.KERNEL32 ref: 0000026C9CB8E490

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: db64cf0f651dc086ab79881f73d20ca8596acb5f99de422b62a97399abafdd11
Instruction ID: a411c3b3cdb027aa4196a1b6ddaae1cedf3b3be3e2974e2c7f0b8a33205e3644
Opcode Fuzzy Hash: db64cf0f651dc086ab79881f73d20ca8596acb5f99de422b62a97399abafdd11
Instruction Fuzzy Hash: 3F319E36605B81C2E710AF56F88866BB7E5FB98BC4F284125ABC943F64CF39C5458B00

Function 0000026C9CBA6620 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 0000026C9CBA6661
_exception_enabled.LIBCMT ref: 0000026C9CBA6684

Part of subcall function 0000026C9CBA6564: _set_statfp.LIBCMT ref: 0000026C9CBA658B
Part of subcall function 0000026C9CBA6564: _set_statfp.LIBCMT ref: 0000026C9CBA65FE

_raise_exc.LIBCMT ref: 0000026C9CBA66D0
_ctrlfp.LIBCMT ref: 0000026C9CBA6710
_ctrlfp.LIBCMT ref: 0000026C9CBA6741

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_exc
String ID:
API String ID: 3456427917-0
Opcode ID: 79c14e7db4d2e84cf453b14f21dc6eac39ded45f04e70965ea2fc96844330a76
Instruction ID: 2d6a669ecbfc53dc8c2ddf8805a10056cb501be8fa8c970c5615469a934d0f72
Opcode Fuzzy Hash: 79c14e7db4d2e84cf453b14f21dc6eac39ded45f04e70965ea2fc96844330a76
Instruction Fuzzy Hash: 1C319D36625A84CAEB50EF24E8457BFB7B0FB99388F100215FEC946A58DF39C441CB00

Function 0000026C9CB94790 Relevance: 7.6, APIs: 5, Instructions: 80memorythreadCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0000026C9CB947E2
GetSystemInfo.KERNEL32 ref: 0000026C9CB947F9
SetThreadStackGuarantee.KERNEL32 ref: 0000026C9CB9480B
VirtualAlloc.KERNEL32 ref: 0000026C9CB9485E
VirtualProtect.KERNEL32 ref: 0000026C9CB94878

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocGuaranteeInfoProtectQueryStackSystemThread
String ID:
API String ID: 513674450-0
Opcode ID: 7dd9ea1c87e4549bff250d1b923e95236c2df90eb6d5819fd71ae98f73500695
Instruction ID: 44e5cce7fcaef033796eaa23207a8fb02cd381534658a2ae220ff9aea01719f3
Opcode Fuzzy Hash: 7dd9ea1c87e4549bff250d1b923e95236c2df90eb6d5819fd71ae98f73500695
Instruction Fuzzy Hash: 4F316F32311A81CAEB24DF31E8987F933A4F748B8CF584026DA8A87B44DF39D645C750

Function 0000026C9CB64D71 Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB64D8A
__doserrno.LIBCMT ref: 0000026C9CB64E07
_errno.LIBCMT ref: 0000026C9CB64E0E

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$__doserrno
String ID:
API String ID: 2614100947-0
Opcode ID: 99b79441b117c2156b15fee70a411776e79b9b80606a67e6e6752f694ee3bad7
Instruction ID: 51b865339ec542d67865d6ede8d7f1ddd14ba28aaeb85b6d6b9e1f0e6d1373b9
Opcode Fuzzy Hash: 99b79441b117c2156b15fee70a411776e79b9b80606a67e6e6752f694ee3bad7
Instruction Fuzzy Hash: 3721F930606A40CEF719FF68D99D3BD76F0EB45330F24452CE995872D3D76688408B62

Function 0000026C9CB58529 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB5854D
_errno.LIBCMT ref: 0000026C9CB58566
_errno.LIBCMT ref: 0000026C9CB58588
_errno.LIBCMT ref: 0000026C9CB585A3
_errno.LIBCMT ref: 0000026C9CB585AD

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction ID: 7905ec708c4b1f38a03449fe0c56dc0f1a68825094e37bd30347f08b86531d71
Opcode Fuzzy Hash: e0a6f99f23bc9ffbc8dd80dba2f8abd9560bbbb3885de2e40a26830c9027ae13
Instruction Fuzzy Hash: 29219030455A88CFEBA0BB58E04A37473F0FB59315F300199E9D9C72A6D772DC418B82

Function 0000026C9CB948FC Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0000026C9CB94925
DecodePointer.KERNEL32 ref: 0000026C9CB94935

Part of subcall function 0000026C9CB99624: _errno.LIBCMT ref: 0000026C9CB9962D
Part of subcall function 0000026C9CB99624: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB99638

EncodePointer.KERNEL32 ref: 0000026C9CB949B3

Part of subcall function 0000026C9CB97A50: realloc.LIBCMT ref: 0000026C9CB97A7B
Part of subcall function 0000026C9CB97A50: Sleep.KERNEL32 ref: 0000026C9CB97A97

EncodePointer.KERNEL32 ref: 0000026C9CB949C3
EncodePointer.KERNEL32 ref: 0000026C9CB949D0

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 17991c27d76004656ba42ca55b295eb408c37ea0a9db000b327a412a6d1edf3e
Instruction ID: cc932114d03dba963f8223fbfb09beef6ce86759f99e6741ba76422b44c77adb
Opcode Fuzzy Hash: 17991c27d76004656ba42ca55b295eb408c37ea0a9db000b327a412a6d1edf3e
Instruction Fuzzy Hash: E4212832303A44C5EB14BB61E94D27AB3F1B749B88FA44825DACE47759EE7AC485C704

Function 0000026C9CB8E280 Relevance: 7.6, APIs: 5, Instructions: 61networkstringCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 0000026C9CB8E2BC
getpeername.WS2_32 ref: 0000026C9CB8E2C4
htons.WS2_32 ref: 0000026C9CB8E2E1
lstrlenW.KERNEL32 ref: 0000026C9CB8E317
WSAGetLastError.WS2_32 ref: 0000026C9CB8E328

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastgetpeernamegetsocknamehtonslstrlen
String ID:
API String ID: 1560998626-0
Opcode ID: c734a573ce7dfaef318db430d04840a229c3ced714760d5c3b5a73f40af316d9
Instruction ID: 825695d876fa97b62cadb1d64a4505ca5a636e4959982f3c9aa7f80a76912837
Opcode Fuzzy Hash: c734a573ce7dfaef318db430d04840a229c3ced714760d5c3b5a73f40af316d9
Instruction Fuzzy Hash: 4A218B76605780C6EB20AF15E48827D77F0F798BC1FA40126EBC983BA4DB39C955CB00

Function 00007FF7F73F8E40 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F73F8E64
CreateThread.KERNEL32 ref: 00007FF7F73F8EA5
GetLastError.KERNEL32 ref: 00007FF7F73F8EB3
CloseHandle.KERNEL32 ref: 00007FF7F73F8ED0
FreeLibrary.KERNEL32 ref: 00007FF7F73F8EDF

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 9f3bf3b611a25fd9af20a1efec53b308f414e593c4ce8467026b1375e3291df5
Instruction ID: 0dde5e8e853d8dc1761056686fa3be287b11bffcb330f1510aca0e6775eea013
Opcode Fuzzy Hash: 9f3bf3b611a25fd9af20a1efec53b308f414e593c4ce8467026b1375e3291df5
Instruction Fuzzy Hash: DF217F2AA0978296EF0DEF65A4101F9E391AF94BC0F940438DA7D03BD5DF3CE412D6A0

Function 0000026C9CB812C0 Relevance: 7.6, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 0000026C9CB812E8
VirtualFree.KERNEL32 ref: 0000026C9CB8130C
VirtualFree.KERNEL32 ref: 0000026C9CB8132E
VirtualFree.KERNEL32 ref: 0000026C9CB8135B
VirtualFree.KERNEL32 ref: 0000026C9CB81376
VirtualFree.KERNEL32 ref: 0000026C9CB81391

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1aa11bdb4510720bd8ad46d36d805cf89cd9d24c8924a76da2260b9335f5542b
Instruction ID: c18e2dae1fc04ac31a75e8cf0cadc93b078900fd6025551dec6c53196ef28374
Opcode Fuzzy Hash: 1aa11bdb4510720bd8ad46d36d805cf89cd9d24c8924a76da2260b9335f5542b
Instruction Fuzzy Hash: D121EA36312B00C6EB98DF66E54463973F9FF88F88F2481158E8943A68CF36C455C710

Function 00007FF7F740500C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7F7405034
_set_statfp.LIBCMT ref: 00007FF7F740504F
_set_statfp.LIBCMT ref: 00007FF7F740506B
_set_statfp.LIBCMT ref: 00007FF7F74050A7

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: b438fef95e9de4e192e54f68da003bfb06ab1a0320ce8f8e52a96597e9ab0918
Instruction ID: 745a2fea003c3bbad25830015107c9ffc3cc9861d5a41a02fc7f99367a53a6b8
Opcode Fuzzy Hash: b438fef95e9de4e192e54f68da003bfb06ab1a0320ce8f8e52a96597e9ab0918
Instruction Fuzzy Hash: D011423AE18A0385F7583129D855B7DD141FF95372F880634EA7E0A2DAEE6CA84345F0

Function 0000026C9CB8DDC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 0000026C9CB8DE05
setsockopt.WS2_32 ref: 0000026C9CB8DE28
setsockopt.WS2_32 ref: 0000026C9CB8DE58
setsockopt.WS2_32 ref: 0000026C9CB8DE7B
SetLastError.KERNEL32 ref: 0000026C9CB8DE93

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: setsockopt$ErrorLast
String ID:
API String ID: 1564866530-0
Opcode ID: 3616964d9e68d5e10b4d5a33af7c41ce66c25ecf9a3d6ccf82dd9a2d54687743
Instruction ID: 76f58f5077a17f2983a905ac7090501edab4d1e746fa7444bd14cb3d32f4657d
Opcode Fuzzy Hash: 3616964d9e68d5e10b4d5a33af7c41ce66c25ecf9a3d6ccf82dd9a2d54687743
Instruction Fuzzy Hash: FD114D71604986C7E7209F64E44837AB7B1FB957A4FA00625EBD806ED8CB7EC5498B04

Function 0000026C9CB87D50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0000026C9CB87D98
SelectObject.GDI32 ref: 0000026C9CB87DA9
SetDIBColorTable.GDI32 ref: 0000026C9CB87DBF
SelectObject.GDI32 ref: 0000026C9CB87DD2
DeleteDC.GDI32 ref: 0000026C9CB87DF4

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ObjectSelect$ColorCompatibleCreateDeleteTable
String ID:
API String ID: 3899591553-0
Opcode ID: 8947a06e24e96cbb16fea5535f0303150291ac82d5cc01e71dd39e0745be825e
Instruction ID: ddbf29b06d4d9bc70686c5d869271caf0db01707f2874eb141b8118b5d1f56c1
Opcode Fuzzy Hash: 8947a06e24e96cbb16fea5535f0303150291ac82d5cc01e71dd39e0745be825e
Instruction Fuzzy Hash: A7215436202A10C9EB55EF65E89873933B4FB58B98F245025DACA53B58CF37C881C380

Function 0000026C9CB8C8D0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000026C9CB8C8F5
EnterCriticalSection.KERNEL32 ref: 0000026C9CB8C8FF
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB8C90F
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB8C919

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 1f6a9fb51c2b84da157e2e3cd1e1033ba792cdd02042b8f3db644f72fc9350c0
Instruction ID: aa928e4b57c88b265664390d631a6abb636b762b1aa4e951001967ff6db64495
Opcode Fuzzy Hash: 1f6a9fb51c2b84da157e2e3cd1e1033ba792cdd02042b8f3db644f72fc9350c0
Instruction Fuzzy Hash: 94110A36625A41C3EBA0AB21F4983BA73B0F748751F941161DBCB46A60DF3ED8CAC700

Function 0000026C9CB623C1 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CB623CA
_errno.LIBCMT ref: 0000026C9CB623D2

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction ID: 9247d04c9c89bf833569ae0cfe48cde865d00567b15116e4133d2777dbb6eef2
Opcode Fuzzy Hash: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction Fuzzy Hash: 0301F470127888CEF359BB64C94D3F876B0FB01339FB54354E595872E3CB7A84508622

Function 0000026C9CB9ACC8 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000026C9CB9ACFF
GetCurrentProcessId.KERNEL32 ref: 0000026C9CB9AD0A
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB9AD16
GetTickCount.KERNEL32 ref: 0000026C9CB9AD22
QueryPerformanceCounter.KERNEL32 ref: 0000026C9CB9AD33

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 087ee9406ee3a35d804722b5ad4831615591c4c9cb0efb3c3ae35d0179c68e7c
Instruction ID: 948401a4afa2335e1963e75da46456e1f51b2ba215da78ddf30e76fce24c958d
Opcode Fuzzy Hash: 087ee9406ee3a35d804722b5ad4831615591c4c9cb0efb3c3ae35d0179c68e7c
Instruction Fuzzy Hash: 1501C031666A00C6EB40EF21F84837673B0F758B90FA42520EEDE07BA0CB3EC9948710

Function 0000026C9CBA28F0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000026C9CBA28F9
_errno.LIBCMT ref: 0000026C9CBA2901

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction ID: 0e48dd4ba43591b69baad390295b41c610bc7d032304d47c0e09142d4cc7f6eb
Opcode Fuzzy Hash: 6757352e70f42596cca19de4ec5f347dbdabdcc3122fab71287a82e6dbf43f1a
Instruction Fuzzy Hash: D701DC72616604C4FF493B68C99A37C36B09B91BB6F704320C5ED023E3D6AE8400821A

Function 0000026C9CB44241 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000026C9CB44373
swprintf.LIBCMT ref: 0000026C9CB4438F

Strings

:, xrefs: 0000026C9CB4428F
@, xrefs: 0000026C9CB442FF

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf
String ID: :$@
API String ID: 233258989-1367939426
Opcode ID: aa3c12b0f75a9633f1606798e54ea64259bcbeae9b44ae6a6ec7170fd715e250
Instruction ID: d22a5f1c90a00c53ab219205a38c26ed5668a002a1892abfee1501241acfa59f
Opcode Fuzzy Hash: aa3c12b0f75a9633f1606798e54ea64259bcbeae9b44ae6a6ec7170fd715e250
Instruction Fuzzy Hash: 41414E7151CB488FD768EF18D485B6AB7E4FB9A300F50061EE98EC3252EB35D446CB86

Function 00007FF7F73B5B90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F73F1200: EnterCriticalSection.KERNEL32 ref: 00007FF7F73F1210

GetProcAddress.KERNEL32 ref: 00007FF7F73B5C8C
_Init_thread_footer.LIBCMT ref: 00007FF7F73B5D07

Strings

shell32, xrefs: 00007FF7F73B5C2C
SHGetKnownFolderPath, xrefs: 00007FF7F73B5C82

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: AddressCriticalEnterInit_thread_footerProcSection
String ID: SHGetKnownFolderPath$shell32
API String ID: 3050242151-1045111711
Opcode ID: 2781453f8c16aefac335e9e8166fe62accc3f6a5c6ed498f4cfd73c8d39d4c5b
Instruction ID: 926b8cf04ec2dfb205d155b1863c440a29f7a10d65634703dc05eb0dfd182d2e
Opcode Fuzzy Hash: 2781453f8c16aefac335e9e8166fe62accc3f6a5c6ed498f4cfd73c8d39d4c5b
Instruction Fuzzy Hash: 33517436A09A8196E750EB1CE840379B3A0FB85794F940239E6AD837D5DF3CD442CB90

Function 0000026C9CB92040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 0000026C9CB92078
WSAGetLastError.WS2_32 ref: 0000026C9CB92086
WSAResetEvent.WS2_32 ref: 0000026C9CB920C3

Strings

, xrefs: 0000026C9CB92192

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: a43ef72c0ef5dea547670d24ae46d00b54fdd337623529927378a7758b4313cd
Instruction ID: 20309c7d6235b9519d2889a37a433dca425384376288c244be262807a81d46d5
Opcode Fuzzy Hash: a43ef72c0ef5dea547670d24ae46d00b54fdd337623529927378a7758b4313cd
Instruction Fuzzy Hash: AA519A72901600C6F368EF26D40837E77F1E788B8CF250115DAC94339ACB7AC9558B81

Function 0000026C9CB5AFAA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB5AFB2
_getptd.LIBCMT ref: 0000026C9CB5B074
_getptd.LIBCMT ref: 0000026C9CB5B080

Strings

csm, xrefs: 0000026C9CB5B034

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction ID: b13d31674361ccad8af39f02553cf2fed0e0189dcd685813b7163c562cb93f61
Opcode Fuzzy Hash: cc0bd05e74b97bf011ab24d669f4709e412a339efcd8783e4d18e3893dc3c893
Instruction Fuzzy Hash: 90315A30109B44CBEB68EF08C495BB9B3F0FB58311F24062DD4CA83682D772E946CB86

Function 0000026C9CB9CE30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 0000026C9CB9CE6B
_errno.LIBCMT ref: 0000026C9CB9CE75
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9CE7C

Strings

-, xrefs: 0000026C9CB9CE97

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 3ee52a3a24785a7fc091806b0d958f2a81b7a6cfbcf0ce8e670c4bd10c065dff
Instruction ID: 63e4014429150872253b3bcc768a73cde988deca152896db66e3b7f3c8143ea9
Opcode Fuzzy Hash: 3ee52a3a24785a7fc091806b0d958f2a81b7a6cfbcf0ce8e670c4bd10c065dff
Instruction Fuzzy Hash: DB31D832305A84C5EB20AF66E4487BAB7B0A755BD8F344112EED947BD6DB2AC445C710

Function 0000026C9CBA1D4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CBA1D65
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CBA1D71
_errno.LIBCMT ref: 0000026C9CBA1D98

Strings

1, xrefs: 0000026C9CBA1DE7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: e42cd22b66c2c710ae5e79c5bbbebf2e77b3ed4b785cd6836f41a57508a0d04c
Instruction ID: 5e3e1a2d12a941fd896e606cf8b67d51513aa8caa23425820d7c740c0bbbd0c1
Opcode Fuzzy Hash: e42cd22b66c2c710ae5e79c5bbbebf2e77b3ed4b785cd6836f41a57508a0d04c
Instruction Fuzzy Hash: 52216F3221B6E0D5FBE6AB28C45837C7AF4AB45B84FB9C451D6D6062D3E62B8940C711

Function 00007FF7F73434B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FF7F7343524
SetWindowLongPtrW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F7341B32), ref: 00007FF7F7343562

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

struct HWND__ *__cdecl qt_create_internal_window(const class QEventDispatcherWin32 *), xrefs: 00007FF7F7343532
%s: CreateWindow() for QEventDispatcherWin32 internal window failed, xrefs: 00007FF7F7343539

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Window$CreateInit_thread_footerLong
String ID: %s: CreateWindow() for QEventDispatcherWin32 internal window failed$struct HWND__ *__cdecl qt_create_internal_window(const class QEventDispatcherWin32 *)
API String ID: 2938593978-1541743766
Opcode ID: eda67fbf92e630d0c72160588c332b7d3a44e1f2591f00d15a80d56d91615364
Instruction ID: cf2fff60cb4f6f5fe51fadc4e3b10f71cdb57a7e79e8eb1071ffd855d8daf09d
Opcode Fuzzy Hash: eda67fbf92e630d0c72160588c332b7d3a44e1f2591f00d15a80d56d91615364
Instruction Fuzzy Hash: 63116B35A1C69183E7519F29F84106AA6A0FB44BE0F940239EBBD537D9DF7CD4428B90

Function 00007FF7F731AED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

QT_FATAL_WARNINGS, xrefs: 00007FF7F731AF9C
QT_FATAL_CRITICALS, xrefs: 00007FF7F731AF64

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID: QT_FATAL_CRITICALS$QT_FATAL_WARNINGS
API String ID: 0-1785144594
Opcode ID: 31495e7dcf0985454016301e3335c3f448df0f4c99aa0aa242f01e66ea667f80
Instruction ID: 496a15871d31d103b5ca9c5f711b795634245eebb7bb400a2a2e909b981d1af9
Opcode Fuzzy Hash: 31495e7dcf0985454016301e3335c3f448df0f4c99aa0aa242f01e66ea667f80
Instruction Fuzzy Hash: F1214B68D095C2A6FB50BB1CAC800B4A350AF69361FE0027AC13D472F1DE6CB56787E0

Function 0000026C9CB93E78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000026C9CB93E86
malloc.LIBCMT ref: 0000026C9CB93E92

Part of subcall function 0000026C9CB946D8: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB94708
Part of subcall function 0000026C9CB946D8: HeapAlloc.KERNEL32 ref: 0000026C9CB9472D
Part of subcall function 0000026C9CB946D8: _callnewh.LIBCMT ref: 0000026C9CB94746
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB94751
Part of subcall function 0000026C9CB946D8: _errno.LIBCMT ref: 0000026C9CB9475C

std::exception::exception.LIBCMT ref: 0000026C9CB93EFF

Strings

bad allocation, xrefs: 0000026C9CB93ECF

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 15ab1da4c976b5a443b990e10891d2bdf45618e1db579182d28fa9cee56dbbac
Instruction ID: 48a7515c7c93b3f42227225773168b1c81c6106fb0d168571401fc3b47f2360a
Opcode Fuzzy Hash: 15ab1da4c976b5a443b990e10891d2bdf45618e1db579182d28fa9cee56dbbac
Instruction Fuzzy Hash: 6C0129B5643B05D1FB11FB20F8597B573B0B759388FA41425DACE466A2EB3BC249CB10

Function 00007FF7F73406E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 37056db6683098725aff1277900d26c7f0a8d787be9077936edb7e7a0fbe72ea
Instruction ID: 2639efe35a299ba719d3a84e67eac0883d878bfe7c2a6c0eeaf38cac13e0eebe
Opcode Fuzzy Hash: 37056db6683098725aff1277900d26c7f0a8d787be9077936edb7e7a0fbe72ea
Instruction Fuzzy Hash: 7FF04F19F0C58292E754BB35EC112B893506F807B0FA50335D93E421E2DE6CE84796A1

Function 00007FF7F73406E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 1c009da80423eb9776ad27b4896bc7a3d78086aba397a6fdea3ffa2447fc16ef
Instruction ID: 3c465c06b08433ea833bdd46609d3cc2d7f94bc434e412abf03afd9282e62a72
Opcode Fuzzy Hash: 1c009da80423eb9776ad27b4896bc7a3d78086aba397a6fdea3ffa2447fc16ef
Instruction Fuzzy Hash: E0F04F19F0C58292E754BB35EC112B893506F807B0FA50335D93E421E2DE6CE84796A1

Function 00007FF7F73406EE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 738b75d211e5ce6c5a6eb55f8bdd90dc21dfe2866fd69c22f6834b402a36fb24
Instruction ID: 2c2cd7caed0127bb1bf7d69258368d93a2a7734e7b6ca28da782deac4a493a54
Opcode Fuzzy Hash: 738b75d211e5ce6c5a6eb55f8bdd90dc21dfe2866fd69c22f6834b402a36fb24
Instruction Fuzzy Hash: B8F06229F0C58292E754BF35EC112B893507F807B0FA50335DD3E421E2DE6CE84796A1

Function 00007FF7F73406F3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: ba23d353b47921fc19f649bdb096968185609f198af8a22fc68cd0ba66401e9a
Instruction ID: 96686c58c1aaaf9a5dcd820a2088d6faf4885ef4ccfb60fcca458b3a7230e86a
Opcode Fuzzy Hash: ba23d353b47921fc19f649bdb096968185609f198af8a22fc68cd0ba66401e9a
Instruction Fuzzy Hash: 02F06229F0C58292E754BF35EC112B893506F807B0F950335D93E421E2DE6CEC8796A1

Function 00007FF7F73406FA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 98667de634df17e3002f528c503baf9fd399360d270cee6032a1187459161a2c
Instruction ID: 85998d3c59f026e6c52becca854c88d7d77cad80e473fe06191b43565abed2bf
Opcode Fuzzy Hash: 98667de634df17e3002f528c503baf9fd399360d270cee6032a1187459161a2c
Instruction Fuzzy Hash: E9F06219F0C58292E754BF35EC112B99350AF807B0F950335D93E421E2DE6CEC8796A1

Function 00007FF7F7340701 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32 ref: 00007FF7F7340722
ResumeThread.KERNEL32 ref: 00007FF7F734073F

Part of subcall function 00007FF7F731B5D0: _Init_thread_footer.LIBCMT ref: 00007FF7F731B703

Strings

QThread::start: Failed to resume new thread, xrefs: 00007FF7F734074A
QThread::start: Failed to set thread priority, xrefs: 00007FF7F734072C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$Init_thread_footerPriorityResume
String ID: QThread::start: Failed to resume new thread$QThread::start: Failed to set thread priority
API String ID: 3594913340-1828396829
Opcode ID: 68c966794d45a26bc0ce352807e4506a2a3e803fc2058c9121001f91d073ba25
Instruction ID: 5a58fc87679fa3b2f94f15bc783f26ac40a22e533c99dd55b3c408793a3f237b
Opcode Fuzzy Hash: 68c966794d45a26bc0ce352807e4506a2a3e803fc2058c9121001f91d073ba25
Instruction Fuzzy Hash: 6EF06219F0C58292E754BF35EC112B893506F807B0F950335D93E421E2DE6CEC8796A1

Function 0000026C9CB975A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000026C9CB975B7
GetProcAddress.KERNEL32 ref: 0000026C9CB975CC

Strings

mscoree.dll, xrefs: 0000026C9CB975B0
CorExitProcess, xrefs: 0000026C9CB975C2

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 616ddb4d295f18e0d5ebf620ba6ad7aac28a66247e066f97f832725591873133
Instruction ID: 07bab7ee3f8e71c460b5896b841f17aa7d5b60f4d31ebaa9c42ea613d8c37b36
Opcode Fuzzy Hash: 616ddb4d295f18e0d5ebf620ba6ad7aac28a66247e066f97f832725591873133
Instruction Fuzzy Hash: 41E01231B13604C2FF597B91E8AC73533F1AB48700FA8142885DE06390EE3AC959C310

Function 0000026C9CB47A01 Relevance: 6.4, APIs: 4, Instructions: 370COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000026C9CB47B81

Part of subcall function 0000026C9CB53949: malloc.LIBCMT ref: 0000026C9CB53963

Part of subcall function 0000026C9CB538DD: _errno.LIBCMT ref: 0000026C9CB538FC
Part of subcall function 0000026C9CB538DD: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB53908

swprintf.LIBCMT ref: 0000026C9CB47CAB
swprintf.LIBCMT ref: 0000026C9CB47D2C

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: swprintf$_errno_invalid_parameter_noinfomalloc
String ID:
API String ID: 3059695456-0
Opcode ID: 83e036968b326672d0b92e37a96612a69de521473cdec3eb1b53c30150c31c59
Instruction ID: 2baa3f194b860810099ae560b4e449a7e4cdb0089096ef0c063c1194f7358fd9
Opcode Fuzzy Hash: 83e036968b326672d0b92e37a96612a69de521473cdec3eb1b53c30150c31c59
Instruction Fuzzy Hash: 82C18631218A48CFEB98FB1CD4997B573E2FB98311F204569A49EC7393DA39D906C781

Function 0000026C9CB53001 Relevance: 6.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dffe288ca264538c5c7c083a689d4f4f3ccceafdf2d5e5b341118a0687c4bba
Instruction ID: 77c68a036669a2c612b9dee76d97f064f418ab942190d38b4a7eb317dda26235
Opcode Fuzzy Hash: 4dffe288ca264538c5c7c083a689d4f4f3ccceafdf2d5e5b341118a0687c4bba
Instruction Fuzzy Hash: 20A1B330619F8DCBE768FF59D4897BAB3E1FB99301F64052ED48AC3251DA32D8458782

Function 0000026C9CB908F0 Relevance: 6.3, APIs: 5, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0000026C9CB90925
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB9095C
GetLastError.KERNEL32 ref: 0000026C9CB9096D
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB90994
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB909C7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 0f019e937948a6d47832e34f67adf2063f94cc7fb04caa044bbf51efa6f953eb
Instruction ID: 47b8e28ea05ad26ea0f273ab0b1d4607c097f1e83bee6adb7354c35f38695a23
Opcode Fuzzy Hash: 0f019e937948a6d47832e34f67adf2063f94cc7fb04caa044bbf51efa6f953eb
Instruction Fuzzy Hash: 3C218D36705B81C2E724ABA6F44876BB7A1F788BD8F948025AEC843B64DF7DC5498700

Function 0000026C9CB8B360 Relevance: 6.3, APIs: 5, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000026C9CB8B3A5
free.LIBCMT ref: 0000026C9CB8B3E5
free.LIBCMT ref: 0000026C9CB8B438
GetProcessHeap.KERNEL32 ref: 0000026C9CB8B445
HeapFree.KERNEL32 ref: 0000026C9CB8B453

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: free$Heap$FreeProcess
String ID:
API String ID: 3493288988-0
Opcode ID: e74aae544f5a46ba22eee78589248f0f87bde554db02cbcf63cd116665f5f2e6
Instruction ID: 9f364c041fe2b0887a09b836d9776d9505ef98dd9bf68bfd5b09f357b07b972c
Opcode Fuzzy Hash: e74aae544f5a46ba22eee78589248f0f87bde554db02cbcf63cd116665f5f2e6
Instruction Fuzzy Hash: 57311836712A50D2EB58AB66E59477E73B0FB89F80F184061EF8A13B95CF36D4A18700

Function 0000026C9CB92B30 Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026C9CB92B44
EnterCriticalSection.KERNEL32 ref: 0000026C9CB92B5F
SetLastError.KERNEL32 ref: 0000026C9CB92B70
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB92B79

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: e5f5a7a0dc5c8876328b0cc5bc067911a8c5247e3853157b53872c7db5139999
Instruction ID: 2d35f52f5a5b7be902270771a7414116982bfb10f5e2d764650ec88c3bffa0f2
Opcode Fuzzy Hash: e5f5a7a0dc5c8876328b0cc5bc067911a8c5247e3853157b53872c7db5139999
Instruction Fuzzy Hash: 26011231B15A44C3EB546B65F45937C32B1F789B64FA81220DABA47BD1DF3AC4A58700

Function 00007FF7F7365DB0 Relevance: 6.2, APIs: 4, Instructions: 246COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF7F7365E7D
std::bad_exception::bad_exception.LIBCMT ref: 00007FF7F7365E9A
std::bad_exception::bad_exception.LIBCMT ref: 00007FF7F7365EB7
std::bad_exception::bad_exception.LIBCMT ref: 00007FF7F7365FCF

Part of subcall function 00007FF7F73F0CE8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F73F0D18

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::cancel_current_task
String ID:
API String ID: 208461638-0
Opcode ID: 73a7ac148250d6fe23e634dcb3216ee3d6b184c37dc2c70ddf0f85e991ab9da2
Instruction ID: f3be1bd9299734169725f004791db92c433addf70d577e1a3592e4ad62f53066
Opcode Fuzzy Hash: 73a7ac148250d6fe23e634dcb3216ee3d6b184c37dc2c70ddf0f85e991ab9da2
Instruction Fuzzy Hash: 28A10F3990AB8297EF59BB55A4117B9A2D4BF46740FC5403CD6AD0B3C6EF3CE40687A0

Function 0000026C9CB54AED Relevance: 6.2, APIs: 4, Instructions: 220COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB54B1C
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB54B27
iswctype.LIBCMT ref: 0000026C9CB54B60
_errno.LIBCMT ref: 0000026C9CB54C8A

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: aad8be474cf42d8bda1240b94c4801284bb18eb27a84c17ce0c255e9d8952077
Instruction ID: 5e6f61b130f12ecb0113073d0082967257e2d0025c65fe9d61678c5210833761
Opcode Fuzzy Hash: aad8be474cf42d8bda1240b94c4801284bb18eb27a84c17ce0c255e9d8952077
Instruction Fuzzy Hash: FF51393280E699C5FB783A99D88E3BA31F5E791350F341219EDE6C71C1E663C8464DA2

Function 0000026C9CB9501C Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB9504B
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB95056
iswctype.LIBCMT ref: 0000026C9CB9508F
_errno.LIBCMT ref: 0000026C9CB951B9

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfoiswctype
String ID:
API String ID: 248606491-0
Opcode ID: 8990e4657c5db3c90a51578a81b61c88cef929f9a05e6dfaeb4bfedc03f5f406
Instruction ID: 6e6ed060f9fea60f6941b11ac8c99854b78f2f849b92cbf20ac9b11d68378af6
Opcode Fuzzy Hash: 8990e4657c5db3c90a51578a81b61c88cef929f9a05e6dfaeb4bfedc03f5f406
Instruction Fuzzy Hash: B351E3729C2131C5FBB43A2AD80E3BE31F5A74175CF354712DED2421C5E67B898D8252

Function 0000026C9CB5ABDD Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB5540D: _getptd.LIBCMT ref: 0000026C9CB55411

_getptd.LIBCMT ref: 0000026C9CB5AC1C
_SetImageBase.LIBCMT ref: 0000026C9CB5ACEF
_getptd.LIBCMT ref: 0000026C9CB5AD1D
_getptd.LIBCMT ref: 0000026C9CB5AD2B

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 825492a4e877475194c45bc95f10e965864965674adb443cf1176bdd3bc0c523
Instruction ID: b7d4bc890bc482e8741d18af41ffc2f8ea1df463231de22d4c3af87dd7901e15
Opcode Fuzzy Hash: 825492a4e877475194c45bc95f10e965864965674adb443cf1176bdd3bc0c523
Instruction Fuzzy Hash: 9541F53511AA84CAF3187768D40E3F932F0FB84716F34466EE0C6D71E7E676E9468291

Function 0000026C9CB562A1 Relevance: 6.2, APIs: 4, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB5F259: _errno.LIBCMT ref: 0000026C9CB5F262
Part of subcall function 0000026C9CB5F259: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB5F26D

_errno.LIBCMT ref: 0000026C9CB562CE
_errno.LIBCMT ref: 0000026C9CB562EA
_isatty.LIBCMT ref: 0000026C9CB5634B
_getbuf.LIBCMT ref: 0000026C9CB56357

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-0
Opcode ID: b349563767bf30984f60fe2376425b3a494ca1bdbea446b70009405771458297
Instruction ID: caaceae12ecd9b61c3dffd26591ed8a2360398d16450b2c89f16c57e4e173d76
Opcode Fuzzy Hash: b349563767bf30984f60fe2376425b3a494ca1bdbea446b70009405771458297
Instruction Fuzzy Hash: 3D519070115A88CFEB98BF2CC4897BA77F0EB59310F240259E896CB3D6D676CC418781

Function 0000026C9CB831E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000026C9CB8338F
MultiByteToWideChar.KERNEL32 ref: 0000026C9CB833B7

Strings

Network, xrefs: 0000026C9CB831E2
X64, xrefs: 0000026C9CB832C4

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Network$X64
API String ID: 626452242-3809260122
Opcode ID: 23ae036aa3b1d2709e1c4a854c1d6364a8d361c4d22c79d840b97e812a5fc968
Instruction ID: 70825e18ca36ba9d77127d8a366d3e603a72fb83f6a14ec503f3d981c7f63b18
Opcode Fuzzy Hash: 23ae036aa3b1d2709e1c4a854c1d6364a8d361c4d22c79d840b97e812a5fc968
Instruction Fuzzy Hash: 73518E32214A84D5E750EB65E8452EEB7B1F7847B4FA00317FABA56AE9CF39C145CB00

Function 00007FF7F7381950 Relevance: 6.1, APIs: 4, Instructions: 125comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF7F73819C4
CoInitialize.OLE32 ref: 00007FF7F73819D6
CoCreateInstance.OLE32 ref: 00007FF7F73819FA
CoUninitialize.OLE32 ref: 00007FF7F7381B21

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CreateInstance$InitializeUninitialize
String ID:
API String ID: 1701838895-0
Opcode ID: cd67ddf5dae77c640e0d9ee24c34f1a23b683f0c5909ce805016218ca2d8fa47
Instruction ID: 65d37ac4251c774883fadbcdcdca4a0a63353bfd0585bb2b87509ae3234b3dee
Opcode Fuzzy Hash: cd67ddf5dae77c640e0d9ee24c34f1a23b683f0c5909ce805016218ca2d8fa47
Instruction Fuzzy Hash: B751847A618A8193EB10EF15E84026AB361FF88B94F904139DB6D437D4DF7DD446CB90

Function 0000026C9CB9CBC0 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB94F78: _getptd.LIBCMT ref: 0000026C9CB94F8A

_errno.LIBCMT ref: 0000026C9CB9CBFE
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9CC08
_errno.LIBCMT ref: 0000026C9CB9CC2C
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9CC36

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 5c3f2eb0de4ecc964b19cd037dcff679cc0c5f13b20e04879b55f5937233c062
Instruction ID: ba053c2fb8a42552e6512da084294b65b9cb0fb8f7967248688711fc4d741c0d
Opcode Fuzzy Hash: 5c3f2eb0de4ecc964b19cd037dcff679cc0c5f13b20e04879b55f5937233c062
Instruction Fuzzy Hash: 1B41BF32216790C6EB61EF29D1883BD7BB0E785BD8F644121DBCA43BA6DB39C845C740

Function 0000026C9CB967D0 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB9F788: _errno.LIBCMT ref: 0000026C9CB9F791
Part of subcall function 0000026C9CB9F788: _invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB9F79C

_errno.LIBCMT ref: 0000026C9CB967FD
_errno.LIBCMT ref: 0000026C9CB96819
_isatty.LIBCMT ref: 0000026C9CB9687A
_getbuf.LIBCMT ref: 0000026C9CB96886

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3655708593-0
Opcode ID: b349563767bf30984f60fe2376425b3a494ca1bdbea446b70009405771458297
Instruction ID: 804a139027b7999ef8025f2b40f13ba7d6fc8083fb5dd6ab1ee29171ec094578
Opcode Fuzzy Hash: b349563767bf30984f60fe2376425b3a494ca1bdbea446b70009405771458297
Instruction Fuzzy Hash: 7641A272612B00C6EB98AF28D49937D37B0E785BE8F344216DAE5473D5DA3AC851C780

Function 0000026C9CB9B10C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB9593C: _getptd.LIBCMT ref: 0000026C9CB95940

_getptd.LIBCMT ref: 0000026C9CB9B14B

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

_SetImageBase.LIBCMT ref: 0000026C9CB9B21E
_getptd.LIBCMT ref: 0000026C9CB9B24C
_getptd.LIBCMT ref: 0000026C9CB9B25A

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd$BaseImage_amsg_exit
String ID:
API String ID: 2306399499-0
Opcode ID: 35e29d8fd6bc9845a79005a57f687935efa70cb60b342af0ce20e08c547ff475
Instruction ID: 2d8cf89c0c40c248ac6b37f9645482463dd71812c076a2d077fbb876301ff161
Opcode Fuzzy Hash: 35e29d8fd6bc9845a79005a57f687935efa70cb60b342af0ce20e08c547ff475
Instruction Fuzzy Hash: DD419232602A45C2EB34BB55D4993BD7BB1EB81BACF758221DED9437E2DB36C4468301

Function 0000026C9CB53ABD Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB53AE8
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB53AF3
_getptd.LIBCMT ref: 0000026C9CB53B19
free.LIBCMT ref: 0000026C9CB53B84

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 4053972703-0
Opcode ID: eb459f4d2d885252ac1ae88e9d454fcfe944fcaddc80240c982663ec9209a165
Instruction ID: 28aba19a00593ea13b9db4ade70bf0e4a4976a55933a6a34031ca2f782326332
Opcode Fuzzy Hash: eb459f4d2d885252ac1ae88e9d454fcfe944fcaddc80240c982663ec9209a165
Instruction Fuzzy Hash: 31218B30609F49CFE754FBA9D45E77A77E0EB98311F10062EA499C33A2DA61D8418B82

Function 0000026C9CB914A0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000026C9CB914CE
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB914E8
LeaveCriticalSection.KERNEL32 ref: 0000026C9CB91556
SetEvent.KERNEL32 ref: 0000026C9CB91571

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: feb78f70b4df6414eb21c9ecdb35b5c2724385254891411f69aab51776cc5172
Instruction ID: 6db505c5169a07347fbab80114fc1e29b6ba02af25f6a06233b4f3c37aee5604
Opcode Fuzzy Hash: feb78f70b4df6414eb21c9ecdb35b5c2724385254891411f69aab51776cc5172
Instruction Fuzzy Hash: D0210732201B80C3D718DF29E5882BDB3B4F788BA4F644225DBAA87774DF35D8A18700

Function 0000026C9CB96E44 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 0000026C9CB96E53
DeleteCriticalSection.KERNEL32 ref: 0000026C9CB9E8EB
free.LIBCMT ref: 0000026C9CB9E8F4
DeleteCriticalSection.KERNEL32 ref: 0000026C9CB9E91B

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 895ab2ec1fe574897f2a59e2529e51965fc67142c4c41bc2158851cfbd195e4a
Instruction ID: 3384dd2b6155041ed5de81373a2dac2112a768fb6e889691bbadbb7343e1e640
Opcode Fuzzy Hash: 895ab2ec1fe574897f2a59e2529e51965fc67142c4c41bc2158851cfbd195e4a
Instruction Fuzzy Hash: 03117032A03A80CAFB55AF51F84C37873B0F754BA9FB84110DAE5066A5CF3AC891CB50

Function 0000026C9CB8CAB0 Relevance: 6.0, APIs: 4, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026C9CB8C7A0: free.LIBCMT ref: 0000026C9CB8C809

HeapDestroy.KERNEL32 ref: 0000026C9CB8CADC
HeapCreate.KERNEL32 ref: 0000026C9CB8CAED
free.LIBCMT ref: 0000026C9CB8CAFF
HeapDestroy.KERNEL32 ref: 0000026C9CB8CB22

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Heap$Destroyfree$Create
String ID:
API String ID: 2478812866-0
Opcode ID: 0a4b86de96d23adba954d842b9e5b68399cc0f510354a5343c41260661051d6d
Instruction ID: 26c8cec5914ef15214fd36a80e9440ebe63f6718cae230cc48fd69a03820d60d
Opcode Fuzzy Hash: 0a4b86de96d23adba954d842b9e5b68399cc0f510354a5343c41260661051d6d
Instruction Fuzzy Hash: D3017176212B40CAEB44EF71E49423973B4FB44FA8F248614DE9A076A8CF39C890C750

Function 0000026C9CB93F6C Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000026C9CB93FA1
ExitThread.KERNEL32 ref: 0000026C9CB93FA9
GetCurrentThreadId.KERNEL32 ref: 0000026C9CB93FB0
_freefls.LIBCMT ref: 0000026C9CB93FE1

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: 5f66bd7f545b5964a83d9e571df25c32621f8b99ae5f15c0ae7904e1522f0d0e
Instruction ID: 5b1eec61787c5e8c17f7c60570cd55c5b30e63da1656a0b65759cd277f47a1f0
Opcode Fuzzy Hash: 5f66bd7f545b5964a83d9e571df25c32621f8b99ae5f15c0ae7904e1522f0d0e
Instruction Fuzzy Hash: 3301C431602B46C6EF84BB71D45D7BD32F5AB18BC8F74443499DE47386EE2B88448311

Function 0000026C9CB8BD60 Relevance: 6.0, APIs: 4, Instructions: 29threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0000026C9CB8BD83
CreateThread.KERNEL32 ref: 0000026C9CB8BDA3
WaitForSingleObject.KERNEL32 ref: 0000026C9CB8BDAF
Sleep.KERNEL32 ref: 0000026C9CB8BDBA

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CreateThread$ObjectSingleSleepWait
String ID:
API String ID: 1183137808-0
Opcode ID: 2b652301547513394443e9f97cfd61dfc27d7781a9a24f35fd08fa08d1a6b0cc
Instruction ID: d5ebffae3fb02ac8dd5f4708fccd28309fb0657a8231c9f01b03ec41babb4e49
Opcode Fuzzy Hash: 2b652301547513394443e9f97cfd61dfc27d7781a9a24f35fd08fa08d1a6b0cc
Instruction Fuzzy Hash: 66F06D32A05A40C2EB24AF31F85967A77F1F7C8748FA44216EADA06AB4CF3DC1558A04

Function 0000026C9CB5BB5D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB5BB81

Strings

csm, xrefs: 0000026C9CB5BBAE
csm, xrefs: 0000026C9CB5BCB8

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction ID: 98c3d0b4481e6d63c945f7ec9473929c6f720aaf4de4fe105ec9912eeec6a6a3
Opcode Fuzzy Hash: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction Fuzzy Hash: D4615E3060AA98CBEBA4AF58C0A977973E1FB58311F74416DD4CAC72D5DB31D881C786

Function 00007FF7F7382B80 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF7F7382BE4
GetLongPathNameW.KERNEL32 ref: 00007FF7F7382C09

Strings

C:/tmp, xrefs: 00007FF7F7382D8F

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Path$LongNameTemp
String ID: C:/tmp
API String ID: 730912879-4167066228
Opcode ID: 83439be4317a1c61e43b9cbe7d8e863dedc4cfdc833063ea0791e58a1257d570
Instruction ID: 7710904380910febc8419dba7c044c5421d7ad9a0fd57ce8ff8bc30a129c4912
Opcode Fuzzy Hash: 83439be4317a1c61e43b9cbe7d8e863dedc4cfdc833063ea0791e58a1257d570
Instruction Fuzzy Hash: C6919277A08A8197E720AF15D450269B3A0FF84BA4F944235DAAD877E4DF3CD847CB90

Function 00007FF7F7340F00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168registryCOMMON

Download Yara Rule

APIs

RegisterClassW.USER32 ref: 00007FF7F7341044

Strings

__cdecl QWindowsMessageWindowClassContext::QWindowsMessageWindowClassContext(void), xrefs: 00007FF7F7341082
%s: RegisterClass() failed, xrefs: 00007FF7F7341089

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ClassRegister
String ID: %s: RegisterClass() failed$__cdecl QWindowsMessageWindowClassContext::QWindowsMessageWindowClassContext(void)
API String ID: 2764894006-1290848616
Opcode ID: 70229b2911cac80b679d5468395164f5b932432c6456549db484ff30615120df
Instruction ID: 1f1583ea119db73e07e8522dd3241ae3b97e04495d08b4cb5808b2c480e09b43
Opcode Fuzzy Hash: 70229b2911cac80b679d5468395164f5b932432c6456549db484ff30615120df
Instruction Fuzzy Hash: 3B71B536B09A819BEB14EF39D8911ACB3B0EF447A4B504239DA2D87AD5DE38D413C790

Function 0000026C9CB9C08C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CB9C0B0

Part of subcall function 0000026C9CB96FA8: _amsg_exit.LIBCMT ref: 0000026C9CB96FBE

Strings

csm, xrefs: 0000026C9CB9C0DD
csm, xrefs: 0000026C9CB9C1E7

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _amsg_exit_getptd
String ID: csm$csm
API String ID: 4217099735-3733052814
Opcode ID: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction ID: 5f8a3dab1de8249a8301e20d94a327e47f8957ca7fd922c92d1fa98adcf29276
Opcode Fuzzy Hash: 7e8e174ab0f273131100006893f629f4bc2b8ef3f7f9a6985eb2b96e491aa145
Instruction Fuzzy Hash: FE51DF32206290C6EB74AF65D14837D77B0F349B8CF648125DED957B86CB3AC891CB06

Function 0000026C9CB5C901 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB5C946
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB5C94D

Strings

-, xrefs: 0000026C9CB5C968

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: -
API String ID: 2959964966-2547889144
Opcode ID: 8a07b590ae617312092e8962cd440cdcb98ac0e38d795e7c313dfeba10ba302d
Instruction ID: f40695d04994f8c11087b35f8de885841b8b25a60610eba3a3a65d78a3d40738
Opcode Fuzzy Hash: 8a07b590ae617312092e8962cd440cdcb98ac0e38d795e7c313dfeba10ba302d
Instruction Fuzzy Hash: 3541D831219A88CFE755FB2CD4897BA77F1EB99354F20462EE8CAC32C1DA22C8454743

Function 00007FF7F7402DA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F7402DE7

Strings

gfff, xrefs: 00007FF7F7402F09
e+000, xrefs: 00007FF7F7402E8C

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 0f2dbf502fb50cc3c9119360ffe868a7f7c1b9d889f18b21b2ea719df869edc6
Instruction ID: 43241d79b947655aeced519c339ee083ae991cb22210287cdffacebc7796454c
Opcode Fuzzy Hash: 0f2dbf502fb50cc3c9119360ffe868a7f7c1b9d889f18b21b2ea719df869edc6
Instruction Fuzzy Hash: FD513866B186C286EB259F3598403A9EB91EB41BD0F889235D7BC47BD5CE2CE046C750

Function 00007FF7F7315F60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF7F731601B

Strings

QCoreApplication::applicationFilePath: Please instantiate the QApplication object first, xrefs: 00007FF7F7315FA7
default, xrefs: 00007FF7F7315F9B

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Init_thread_footer
String ID: QCoreApplication::applicationFilePath: Please instantiate the QApplication object first$default
API String ID: 1385522511-1195541078
Opcode ID: 06e3373bd0cf0de3971f7f336e6d5dd1eaadc2dca8628431f20a1437d26f4a2b
Instruction ID: 9e00e10bc899efe732e0aa1e81244fcaa6126db8bd61ae5aaf3acf4a1730e6f2
Opcode Fuzzy Hash: 06e3373bd0cf0de3971f7f336e6d5dd1eaadc2dca8628431f20a1437d26f4a2b
Instruction Fuzzy Hash: DA514239E09A91D2EB50EB29D480279B361FF847A0F905135DA6D873E5DF3CE452C790

Function 0000026C9CB8841A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB93E78: malloc.LIBCMT ref: 0000026C9CB93E92

wsprintfW.USER32 ref: 0000026C9CB8846D
CloseHandle.KERNEL32 ref: 0000026C9CB8859C

Strings

%s_bin, xrefs: 0000026C9CB88463

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: CloseHandlemallocwsprintf
String ID: %s_bin
API String ID: 2399101171-2665034546
Opcode ID: 0a69d819fd656596b93c855f7e1b851c5acc7014e10a6c2c838e2f35afa1a01a
Instruction ID: 18452daf1887b566c7872ec9766217cb1fff2c0d81b99d17c52a6f8e71ada500
Opcode Fuzzy Hash: 0a69d819fd656596b93c855f7e1b851c5acc7014e10a6c2c838e2f35afa1a01a
Instruction Fuzzy Hash: 9341BE76702684C2EB64FB26D4587BA77B1EB89BC8F648115DE9E037D2DA3BC544C700

Function 00007FF7F73FDC94 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7F73FDDAB
GetLastError.KERNEL32 ref: 00007FF7F73FDDCD

Strings

U, xrefs: 00007FF7F73FDD57

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: fd5550cb344639488e59e975bf7c83b31fce18860d2481271e35627b1b3623d5
Instruction ID: 392a3a6f515631c79b5191b00857129c64455840c88be1af2f8c0bf8130059eb
Opcode Fuzzy Hash: fd5550cb344639488e59e975bf7c83b31fce18860d2481271e35627b1b3623d5
Instruction Fuzzy Hash: C241A327628A8592DB10AF25E4583E9A7A1FF887D4F804135EE5D87798DF3CD402C790

Function 0000026C9CB5C1B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB5C1FC
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB5C203

Strings

-, xrefs: 0000026C9CB5C239

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: -
API String ID: 2959964966-2547889144
Opcode ID: c509db6e2127a862873f146b9b3d7d83ca6d8aba37a91d2db03c05197ceee07f
Instruction ID: 627fbd8cbc8f04bb2b93f15da080b91e039a31445fe3e812fc6ea6d1c346a067
Opcode Fuzzy Hash: c509db6e2127a862873f146b9b3d7d83ca6d8aba37a91d2db03c05197ceee07f
Instruction Fuzzy Hash: B821D831218A88CBD754FB68D8857BA73F1FB98310F64452EA4CAC32C1DE26C8454742

Function 0000026C9CB55EE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB55E6A
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB55E75

Strings

B, xrefs: 0000026C9CB55E9A

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction ID: 038b156b028fc37ba65d0da1aecc128f9dee65aa4d28b2cad3dea2fddec66074
Opcode Fuzzy Hash: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction Fuzzy Hash: ED21D43021DB88CFD754FF58C48977977E1FB98321F60066EA499C32D2CA75C8448782

Function 0000026C9CB55BB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB55BEE
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB55BF9

Strings

I, xrefs: 0000026C9CB55C10

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: I
API String ID: 2959964966-3707901625
Opcode ID: a2e5181514195cdc91507144e00db8c737aca040fdae64f2d7fa568e57d83979
Instruction ID: 9ae99d4d724bd9fcc026a6d0a3e501372e1031b61c8d8a269f41dba4bb15c3f4
Opcode Fuzzy Hash: a2e5181514195cdc91507144e00db8c737aca040fdae64f2d7fa568e57d83979
Instruction Fuzzy Hash: 55117C70519B4CCFD794FF58D48977A76E1FB98325F20076EA499C32E1DA35C8448B82

Function 0000026C9CB8DC70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

StrChrW.SHLWAPI ref: 0000026C9CB8DCA0
swscanf.LIBCMT ref: 0000026C9CB8DCFD

Strings

%d.%d.%d.%d%c, xrefs: 0000026C9CB8DCEE

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: swscanf
String ID: %d.%d.%d.%d%c
API String ID: 3616590096-2398565245
Opcode ID: c43af12d048c2140f8e3e2782bbf25f93f865edb1df4d58d990b40a747d97f95
Instruction ID: f2aecec56f175e3f031fcb67fb6e51a787701b42b6da8a7e365af378ee13d63c
Opcode Fuzzy Hash: c43af12d048c2140f8e3e2782bbf25f93f865edb1df4d58d990b40a747d97f95
Instruction Fuzzy Hash: 28116372706A41C6FF14EB24E4953BAB3B0EB95758FA40022EACE46695DB7EC481CB00

Function 0000026C9CBA7235 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000026C9CBA72F9

Strings

csm, xrefs: 0000026C9CBA725C
csm, xrefs: 0000026C9CBA72B5

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 48bc1373a0cf7fa20b60edcf05be31b4cb9f1640bae482645bfd625d32f457a4
Instruction ID: 24b4299f7b15daf685d43069d1a8f727d701ad4d4d22d25d76c43ac5bed2f300
Opcode Fuzzy Hash: 48bc1373a0cf7fa20b60edcf05be31b4cb9f1640bae482645bfd625d32f457a4
Instruction Fuzzy Hash: DF31AA73105704CAEB609F65C0943AC3BB5F359BADF961215EA8D1BB58CB76C8C1C784

Function 00007FF7F738D220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7F738D2B2

Strings

default, xrefs: 00007FF7F738D256
QWaitCondition::wait: Cannot wait on recursive mutexes, xrefs: 00007FF7F738D25D

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ObjectSingleWait
String ID: QWaitCondition::wait: Cannot wait on recursive mutexes$default
API String ID: 24740636-2009005735
Opcode ID: 146604afdf875c87d0d0e0ef66d7f3da82025842baf9707a1a8bbcafb69421db
Instruction ID: 8c74be762abea21b7accda55ff6224a6f70913fea4c6a1fc32f350ed2c28cddd
Opcode Fuzzy Hash: 146604afdf875c87d0d0e0ef66d7f3da82025842baf9707a1a8bbcafb69421db
Instruction Fuzzy Hash: B411A426A08B9182EB50EB12A04017AE361FF88BD0F844135EE9D03B9ADF7CD056C790

Function 0000026C9CB96418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026C9CB96399
_invalid_parameter_noinfo.LIBCMT ref: 0000026C9CB963A4

Strings

B, xrefs: 0000026C9CB963C9

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction ID: b54732abee6526f5165ecc9cfa12d0f50143b004439c33da2d4b4f0dd5b8c020
Opcode Fuzzy Hash: 0393436462657110cb73ce37d4357934f28618228331e8602f4d03b9a811f737
Instruction Fuzzy Hash: 49118132219780C6EB60AF15D44437EB6B1F798BD8FA84221ABC947B96CB3AC544CB00

Function 0000026C9CB91130 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000026C9CB9117D
WSAGetLastError.WS2_32 ref: 0000026C9CB91188

Strings

<C-CNNID: %Iu> send 0 bytes (detect package), xrefs: 0000026C9CB9119C

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastsend
String ID: <C-CNNID: %Iu> send 0 bytes (detect package)
API String ID: 1802528911-4236689219
Opcode ID: 26024b8f4a6b1fc62b5e85987d6cbbeeaefd2807c977c47cb76afe576a9464f7
Instruction ID: 47b0474f7a5bfaaf464103132b49c170c9e80ffc9cfc00343a9ea5462ddd810a
Opcode Fuzzy Hash: 26024b8f4a6b1fc62b5e85987d6cbbeeaefd2807c977c47cb76afe576a9464f7
Instruction Fuzzy Hash: 6811AC72601500C6EB548F2AF48877E73F0E798B4CF790121DB998B6A5CB76C8D38B40

Function 0000026C9CBA7335 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0000026C9CB95D74: _getptd.LIBCMT ref: 0000026C9CB95D81
Part of subcall function 0000026C9CB95D74: _getptd.LIBCMT ref: 0000026C9CB95D94

_getptd.LIBCMT ref: 0000026C9CBA7396
_getptd.LIBCMT ref: 0000026C9CBA73A9

Strings

csm, xrefs: 0000026C9CBA7355

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 110644245a712163c931d5ba1d41ab16cc3e499cf3e1aabacc1b7c0560f8ec51
Instruction ID: bd363303470f230a55856031fadec92bb8cd170373d7b31c69cb75a286644da7
Opcode Fuzzy Hash: 110644245a712163c931d5ba1d41ab16cc3e499cf3e1aabacc1b7c0560f8ec51
Instruction Fuzzy Hash: D8014C33142640CAEB70BF22C8687BD33F4E754B59FAA0225DED95A696DB32C8C1C301

Function 00007FF7F7339EF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(?,?,?,?,?,?,?,00007FF7F7339E8E), ref: 00007FF7F7339F13

Strings

default, xrefs: 00007FF7F7339F2E
QMutexData::QMutexData: Cannot create event, xrefs: 00007FF7F7339F35

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: CreateEvent
String ID: QMutexData::QMutexData: Cannot create event$default
API String ID: 2692171526-3883557714
Opcode ID: 7e7d644c09d99a5a6c3be016508522d6b6355ef5b7fdc0e416c337ea6e263274
Instruction ID: 1960c33bf2e09a6c5a547c97576ee7f1db199b94557c964d8810ed2a77add116
Opcode Fuzzy Hash: 7e7d644c09d99a5a6c3be016508522d6b6355ef5b7fdc0e416c337ea6e263274
Instruction Fuzzy Hash: FBF0C236A09B8181EB119F29F44172AF7A0FF98758FA4C135EA9D02795EF7CD152CB80

Function 00007FF7F7401574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF7F740159D
TlsSetValue.KERNEL32(?,?,?,00007FF7F74027EA,?,?,?,00007FF7F73F8CFD,?,?,?,?,00007FF7F73484A7), ref: 00007FF7F74015B4

Strings

FlsSetValue, xrefs: 00007FF7F740158A

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 0ba6b372cb4a2b199900795e9c6c51c8a2dfea35c9e952b3c7edfe421b932056
Instruction ID: a402cec6964a312034d2411ba2f2748c714522d7ac5d2ed865eca4c9be5f3a51
Opcode Fuzzy Hash: 0ba6b372cb4a2b199900795e9c6c51c8a2dfea35c9e952b3c7edfe421b932056
Instruction Fuzzy Hash: E2E065A9A08603C1EB057B54F4405B8A222AF48795FD95131E93E0B2D5CE3CE486C7A0

Function 0000026C9CB46FA1 Relevance: 5.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026C9CB46FD4

Part of subcall function 0000026C9CB541A9: _FF_MSGBANNER.LIBCMT ref: 0000026C9CB541D9
Part of subcall function 0000026C9CB541A9: _callnewh.LIBCMT ref: 0000026C9CB54217
Part of subcall function 0000026C9CB541A9: _errno.LIBCMT ref: 0000026C9CB54222
Part of subcall function 0000026C9CB541A9: _errno.LIBCMT ref: 0000026C9CB5422D

free.LIBCMT ref: 0000026C9CB46FFC
free.LIBCMT ref: 0000026C9CB47087
free.LIBCMT ref: 0000026C9CB470C7

Memory Dump Source

Source File: 00000000.00000002.2236546037.0000026C9CB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb40000_quHmbPnLFV.jbxd

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: cc656971716715345f2a5dcc39fcc7d40fdafd1851604fdf7a17465b1541438a
Instruction ID: 5bd0006ff12c0090f31b2258b04ad721dab631cc5431728fe179ba0aac6116c9
Opcode Fuzzy Hash: cc656971716715345f2a5dcc39fcc7d40fdafd1851604fdf7a17465b1541438a
Instruction Fuzzy Hash: BE41EE7161EB0ACFE764FF1CC499736B6E5FB98311F20452DA9CAC3252DA61D802C782

Function 0000026C9CB81870 Relevance: 5.1, APIs: 4, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000026C9CB818EE
VirtualFree.KERNEL32 ref: 0000026C9CB81928
VirtualAlloc.KERNEL32 ref: 0000026C9CB81995
VirtualFree.KERNEL32 ref: 0000026C9CB819CF

Part of subcall function 0000026C9CB81A80: send.WS2_32 ref: 0000026C9CB81AE3
Part of subcall function 0000026C9CB81A80: send.WS2_32 ref: 0000026C9CB81B30

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFreesend
String ID:
API String ID: 2354595252-0
Opcode ID: 42f920e62df292d262b0744aa4ce6eb943c302377280a50c8d6856371cde3bb9
Instruction ID: af259c3711d7d5dbe7f80ab881b0acc5c7c52b30056fdc213cc696141cc26f2f
Opcode Fuzzy Hash: 42f920e62df292d262b0744aa4ce6eb943c302377280a50c8d6856371cde3bb9
Instruction Fuzzy Hash: 1F514C72202B40CBE714EB2AE44467EB7B5F784B84F248125DBCA97B64DF79E446CB00

Function 0000026C9CB82290 Relevance: 5.1, APIs: 4, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000026C9CB8230E
VirtualFree.KERNEL32 ref: 0000026C9CB82348
VirtualAlloc.KERNEL32 ref: 0000026C9CB823B5
VirtualFree.KERNEL32 ref: 0000026C9CB823EF

Memory Dump Source

Source File: 00000000.00000002.2236569762.0000026C9CB80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026C9CB80000, based on PE: true

Associated: 00000000.00000002.2236569762.0000026C9CBBE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c9cb80000_quHmbPnLFV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c644452f85baab6451ec69b31673ecdda31e611098b1083b8dabd6bbc09c8c61
Instruction ID: 5a1f38b90ecebd0351bcf8fb87da9ef5f5f97ec9f080ea01e12b5951f78f1553
Opcode Fuzzy Hash: c644452f85baab6451ec69b31673ecdda31e611098b1083b8dabd6bbc09c8c61
Instruction Fuzzy Hash: 75514D72201B40CBE715EB2AE45427EB7B5F744B84F208125DBCA87B65DB79E445CB00

Function 00007FF7F7314410 Relevance: 5.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF7F731444E
IsBadReadPtr.KERNEL32 ref: 00007FF7F7314544
SetLastError.KERNEL32(?,?,00000000,00000000,?,00007FF7F7314A90), ref: 00007FF7F7314566
SetLastError.KERNEL32(?,?,00000000,00000000,?,00007FF7F7314A90), ref: 00007FF7F7314584

Memory Dump Source

Source File: 00000000.00000002.2236681540.00007FF7F7311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F7310000, based on PE: true

Associated: 00000000.00000002.2236670004.00007FF7F7310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F7416000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236744697.00007FF7F754B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F7588000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236847933.00007FF7F75BB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2236881548.00007FF7F75CA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f7310000_quHmbPnLFV.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 6a69c7bdf01cc1d2336885ad907c5f05680f579d0beabb65993b657d56b6f43c
Instruction ID: d2041baf1b7113c36351eb67d2d82c8cbfbdec9456211fd6513893991b98a408
Opcode Fuzzy Hash: 6a69c7bdf01cc1d2336885ad907c5f05680f579d0beabb65993b657d56b6f43c
Instruction Fuzzy Hash: 74417C7AA0568287EB149F15E010639A3A5FF44FA8F460439DE6E433D4DE7CE846C3A0

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report quHmbPnLFV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_quHmbPnLFV.exe_ff65ec9a547faaab72fb38c58ef38a8d91f5916e_af65133f_d5edd506-a81f-48b8-a842-c164e9d57838\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FC8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7150.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7180.tmp.xml

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
quHmbPnLFV.exe

Function 0000026C9CB82B00 Relevance: 77.4, APIs: 30, Strings: 14, Instructions: 365
stringnetworklibraryCOMMON

Function 0000026C9CB8B480 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 279
sleepsynchronizationtimeCOMMON

Function 0000026C9CB8B9A0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
sleepsynchronizationtimeCOMMON

Function 00007FF7F7314610 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 354
memorylibraryloaderCOMMON

Function 0000026C9CB84900 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133
registrystringCOMMON

Function 00007FF7F7313FB0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79
encryptionCOMMON

Function 0000026C9CB84D10 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82
registrylibraryloaderCOMMON

Function 0000026C9CB814F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Function 00000001400014F0 Relevance: 18.1, APIs: 12, Instructions: 139
networkstringtimeCOMMON

Function 00000001400041B0 Relevance: 16.5, APIs: 11, Instructions: 43
threadsleepsynchronizationCOMMON

Function 0000026C9CB84770 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87
COMMON

Function 0000026C9CB83830 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 70
synchronizationsleepstringCOMMON

Function 0000000140003AC0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Function 00000001400094E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
networkCOMMON

Function 00007FF7F7319920 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176
libraryloaderCOMMON