Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Analysis ID:	1670662
MD5:	a77466dbe5c78ae003ddfc65bffca866
SHA1:	6822ea35faa24f271f1d527487cff3c82046d0e6
SHA256:	795b8c369ada96e2b3a37e396a717f2e093524f89eabe1fc9631bb0cd7b5a33b
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Emmenhtal Loader

Score:	64
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emmenhtal Loader

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe" MD5: A77466DBE5C78AE003DDFC65BFFCA866)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	JoeSecurity_EmmenhtalLoader	Yara detected Emmenhtal Loader	Joe Security
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	emmenhtal_strings_hta_exe	Emmenhtal Loader string	Sekoia.io	0x8add2:$char: = String.fromCharCode(aE,Tl, 0x8adcb:$var: var 0xcbab0:$eval: eval( 0x8ac4f:$script1: <script> 0xcbaa6:$script1: <script> 0x9d69d:$script2: </script>MZ 0xcbacc:$script2: </script>MZ

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Virustotal: Detection: 8%

Perma Link

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: bitsadmin.pdb source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Source:	Binary string: bitsadmin.pdbGCTL source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

String found in binary or memory: http://server/get.asp

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe, type: SAMPLE

Matched rule: Emmenhtal Loader string Author: Sekoia.io

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: String function: 00744D6F appears 32 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: String function: 00744333 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: String function: 0074404C appears 207 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: String function: 00737279 appears 48 times

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe, 00000000.00000000.1134499510.0000000000763000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebitsadmin.exej% vs SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Binary or memory string: OriginalFilenamebitsadmin.exej% vs SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe, type: SAMPLE

Matched rule: emmenhtal_strings_hta_exe author = Sekoia.io, description = Emmenhtal Loader string, creation_date = 2024-09-06, classification = TLP:CLEAR, version = 1.0, id = 64e08610-e8a4-4edd-8f6b-d4e8d2b47d87, hash = e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912

Source: classification engine

Classification label: mal64.troj.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Code function: 0_2_007372AB CoCreateInstance,

0_2_007372AB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Virustotal: Detection: 8%

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: FO <job> [/VERBOSE] Displays information about the job /ADDFILE <job> <remote_url> <local_name> Adds a file to t
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: e job /ADDFILESET <job> <textfile> Adds multiple files to the job Each line of <textfile> lists a file's remote nam
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: ry, the contents are added to the job. /ADDFILEWITHRANGES <job> <remote_url> <local_name range_list> Like /ADDFILE, but BITS
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILEWITHRANGES
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILESET
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILE
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILE <job> <remote_url> <local_name> Adds a file to the job
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILESET <job> <textfile> Adds multiple files to the job
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /ADDFILEWITHRANGES <job> <remote_url> <local_name range_list>
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: Like /ADDFILE, but BITS will read only selected byte ranges of the URL.
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	String found in binary or memory: /UTIL/LIST/MONITOR/RESET/TRANSFER/CREATE/INFO/ADDFILE/ADDFILESET/ADDFILEWITHRANGES/REPLACEREMOTEPREFIX/LISTFILES/SUSPEND/RESUME/CANCEL/COMPLETE/GETTYPE/GETACLFLAGS/SETACLFLAGS/GETBYTESTOTAL/GETBYTESTRANSFERRED/GETFILESTOTAL/GETFILESTRANSFERRED/GETCREATIONTIME/GETMODIFICATIONTIME/GETCOMPLETIONTIME/GETSTATE/GETERROR/GETOWNER/GETDISPLAYNAME/SETDISPLAYNAME/GETDESCRIPTION/SETDESCRIPTION/GETPRIORITY/SETPRIORITY/GETNOTIFYFLAGS/SETNOTIFYFLAGS/GETNOTIFYINTERFACE/GETMINRETRYDELAY/SETMINRETRYDELAY/GETNOPROGRESSTIMEOUT/SETNOPROGRESSTIMEOUT/GETMAXDOWNLOADTIME/SETMAXDOWNLOADTIME/GETERRORCOUNT/GETPROXYUSAGE/GETPROXYLIST/GETPROXYBYPASSLIST/SETPROXYSETTINGS/TAKEOWNERSHIP/GETREPLYFILENAME/SETREPLYFILENAME/GETREPLYPROGRESS/GETREPLYDATA/GETNOTIFYCMDLINE/SETNOTIFYCMDLINE/SETCREDENTIALS/REMOVECREDENTIALS/SETPEERCACHINGFLAGS/GETPEERCACHINGFLAGS/SETCUSTOMHEADERS/GETCUSTOMHEADERS/GETCLIENTCERTIFICATE/SETCLIENTCERTIFICATEBYID/SETCLIENTCERTIFICATEBYNAME/REMOVECLIENTCERTIFICATE/SETSECURITYFLAGS/GETSECURITYFLAGS/SETVALIDATIONSTATE/GETVALIDATIONSTATE/GETTEMPORARYNAME/SETHELPERTOKENFLAGS/GETHELPERTOKENFLAGS/SETHELPERTOKEN/GETHELPERTOKENSID/GETPEERSTATS/PEERCACHING/CACHE/PEERS/SETHTTPMETHOD/GETHTTPMETHOD/MAKECUSTOMHEADERSWRITEONLY.OCP/RAWRETURN/WRAP/NOWRAPUnable to initialize COMUSAGE: BITSADMIN [/RAWRETURN] [/WRAP \| /NOWRAP] command

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: bitsadmin.pdb source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Source:	Binary string: bitsadmin.pdbGCTL source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: 0xF3314174 [Fri Apr 17 06:45:08 2099 UTC]

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: real checksum: 0x39efd should be: 0x105488

Source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Code function: 0_2_00747D59 push ecx; ret

0_2_00747D6C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

API coverage: 2.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Code function: 0_2_0074745B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0074745B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: 0_2_0074745B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0074745B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	Code function: 0_2_00746F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00746F07

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Code function: 0_2_0073AC11 AllocateAndInitializeSid,ConvertSidToStringSidW,GetLastError,SetLastError,

0_2_0073AC11

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Code function: 0_2_0074282B GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,_finite,_finite,

0_2_0074282B

Stealing of Sensitive Information

Yara detected Emmenhtal Loader

Source: Yara match

File source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe, type: SAMPLE

Remote Access Functionality

Yara detected Emmenhtal Loader

Source: Yara match

File source: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	8%	Virustotal		Browse
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	8%	ReversingLabs	Win32.Dropper.Lumma

Source	Detection	Scanner	Label	Link
http://server/get.asp	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://server/get.asp	SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670662
Start date and time:	2025-04-22 01:54:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Detection:	MAL
Classification:	mal64.troj.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 59% Number of executed functions: 3 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Not all processes where analyzed, report is missing behavior information

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.706565193870899
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
File size:	1'023'701 bytes
MD5:	a77466dbe5c78ae003ddfc65bffca866
SHA1:	6822ea35faa24f271f1d527487cff3c82046d0e6
SHA256:	795b8c369ada96e2b3a37e396a717f2e093524f89eabe1fc9631bb0cd7b5a33b
SHA512:	35933f50a8bbd1af6c394219675416e93b9be8e593ce45a61eff3a9bab42eca049e43de2b4a17478a9d010ab689ea4f6b86cb6efea841489d4047d5535523d88
SSDEEP:	24576:BdBs/qkBdBs/qkidBs/qkEdBs/qkIdBs/qk:LBOLBOkBOSBOeBO
TLSH:	4125FB11B7F94055F8B3BA751EB9DAE8AA3BF8595F3181DF0348110E0763AA189307B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................O.........y...I.......I.......I.......I.!.....I.......I.#.....I.......Rich............................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x426ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xF3314174 [Fri Apr 17 06:45:08 2099 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	df600280bfaa63bf70c653bfb634058e

Entrypoint Preview

Instruction
call 00007FD2D4D35F9Eh
jmp 00007FD2D4D35983h
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [0042B390h]
jne 00007FD2D4D35B15h
ret
jmp 00007FD2D4D35B4Dh
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push 00000000h
call dword ptr [004401B8h]
push dword ptr [ebp+08h]
call dword ptr [004401B4h]
push C0000409h
call dword ptr [00440224h]
push eax
call dword ptr [00440170h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [004401BCh]
test eax, eax
je 00007FD2D4D35B17h
push 00000002h
pop ecx
int 29h
mov dword ptr [0042B4D0h], eax
mov dword ptr [0042B4CCh], ecx
mov dword ptr [0042B4C8h], edx
mov dword ptr [0042B4C4h], ebx
mov dword ptr [0042B4C0h], esi
mov dword ptr [0042B4BCh], edi
mov word ptr [0042B4E8h], ss
mov word ptr [0042B4DCh], cs
mov word ptr [0042B4B8h], ds
mov word ptr [0042B4B4h], es
mov word ptr [0042B4B0h], fs
mov word ptr [0042B4ACh], gs
pushfd
pop dword ptr [0042B4E0h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x402bc	0x1a4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43000	0x808	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x44000	0x1e94	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x158ec	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1000	0xbc	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x40000	0x2b8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2a720	0xa0	.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29918	0x29a00	149d6639c6f6aa4b4f6d5affe398638a	False	0.34294059684684686	dBase III DBT, version number 0, next free block index 188, 1st item "T\250@"	5.455322859704908	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2b000	0x14a40	0x400	b77f50fce8e2b29f117d097e65d3b53e	False	0.302734375	data	3.1939607954361753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x40000	0x15ce	0x1600	76349c29cfe6024d82839f2ab7636615	False	0.41246448863636365	data	5.3734542616000125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x42000	0x38	0x200	5d009f546b897e5afcbce3720702dd00	False	0.083984375	data	0.4968001699838246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x43000	0x808	0xa00	6b9e7861798b679a0c9db41294ad2e38	False	0.3796875	data	3.728104235576586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x44000	0x1e94	0x2000	2dd992d77c9771a477829954952a627b	False	0.787353515625	data	6.6855551445537325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x43740	0xc8	data	English	United States	0.54
RT_VERSION	0x43398	0x3a8	OpenPGP Public Key	English	United States	0.46047008547008544
RT_MANIFEST	0x430f0	0x2a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5264705882352941

Imports

DLL	Import
api-ms-win-crt-runtime-l1-1-0.dll	__doserrno, _initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _initterm
api-ms-win-crt-math-l1-1-0.dll	_finite
api-ms-win-crt-private-l1-1-0.dll	_o___p___argc, _o___p___wargv, _o___p__commode, _o___stdio_common_vswprintf, _o___stdio_common_vswscanf, _o__cexit, _o__configthreadlocale, _o__configure_wide_argv, _o__controlfp_s, _o__crt_atexit, _o__exit, _o__get_initial_wide_environment, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, memcpy, _o__stricmp, _o__wcsicmp, _o__wfopen, _o__wsetlocale, _o_exit, _o_feof, _o_floor, _o_free, _o_getc, _o_iswxdigit, _o_malloc, _o_terminate, _o_ungetc, _o_wcstok, _o_wcstol, _o_wcstoul, __current_exception, __current_exception_context, _except_handler4_common, wcsstr, wcschr, __std_terminate, __CxxFrameHandler3, _CxxThrowException
api-ms-win-crt-string-l1-1-0.dll	memset
api-ms-win-downlevel-kernel32-l1-1-0.dll	Sleep, LoadLibraryExW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, GetConsoleOutputCP, WriteFile, SetConsoleMode, TerminateProcess, SetThreadUILanguage, InitializeCriticalSection, GetSystemDirectoryW, GetConsoleMode, FillConsoleOutputCharacterW, FileTimeToSystemTime, FileTimeToLocalFileTime, SleepEx, FillConsoleOutputAttribute, WriteConsoleW, GetTimeFormatW, GetNumberOfConsoleInputEvents, GetSystemTimeAsFileTime, GetFileType, SetConsoleCursorPosition, GetDateFormatW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, DeleteCriticalSection, ReadConsoleInputW, InitializeCriticalSectionEx, LeaveCriticalSection, GetStdHandle, EnterCriticalSection, ReleaseMutex, WaitForSingleObject, QueueUserAPC, GetFileAttributesW, ExpandEnvironmentStringsW, SetLastError, CompareStringW, CompareStringA, WideCharToMultiByte, HeapSetInformation, CloseHandle, GetCurrentThread, MultiByteToWideChar, DuplicateHandle, GetThreadLocale, GetCurrentProcess, SetConsoleCtrlHandler, GetCurrentThreadId, FreeLibrary, GetModuleHandleW, FormatMessageW, GetLastError, GetProcAddress
api-ms-win-downlevel-ole32-l1-1-0.dll	CoTaskMemFree, StringFromGUID2, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitializeEx, CLSIDFromString
SspiCli.dll	LogonUserExExW
api-ms-win-security-lsalookup-l1-1-0.dll	LookupAccountSidLocalW
api-ms-win-core-version-l1-1-0.dll	VerQueryValueW, GetFileVersionInfoExW, GetFileVersionInfoSizeExW
api-ms-win-core-registry-l1-1-0.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueExA, RegQueryInfoKeyW, RegOpenKeyExA, RegEnumValueA, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey
api-ms-win-security-sddl-l1-1-0.dll	ConvertSidToStringSidW
api-ms-win-core-heap-l2-1-0.dll	LocalAlloc, LocalFree
api-ms-win-security-base-l1-1-0.dll	GetSidSubAuthorityCount, GetSidSubAuthority, CopySid, RevertToSelf, ImpersonateSelf, AllocateAndInitializeSid, GetTokenInformation, GetLengthSid, ImpersonateLoggedOnUser
api-ms-win-core-processthreads-l1-1-0.dll	OpenThreadToken
api-ms-win-service-management-l2-1-0.dll	QueryServiceStatusEx
api-ms-win-service-management-l1-1-0.dll	OpenServiceW, CloseServiceHandle, OpenSCManagerW
api-ms-win-core-kernel32-legacy-l1-1-2.dll	OpenMutexA
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook

Version Infos

Description	Data
CompanyName	Microsoft Corporation
FileDescription	BITS administration utility
FileVersion	7.8.20348.1 (WinBuild.160101.0800)
InternalName	bitsadmin.exe
LegalCopyright	Microsoft Corporation. All rights reserved.
OriginalFilename	bitsadmin.exe
ProductName	Microsoft Windows Operating System
ProductVersion	7.8.20348.1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
• conhost.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
• conhost.exe

Click to jump to process

Behavior

• SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	19:55:09
Start date:	21/04/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe"
Imagebase:	0x720000
File size:	1'023'701 bytes
MD5 hash:	A77466DBE5C78AE003DDFC65BFFCA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:55:09
Start date:	21/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	4

Executed Functions

Function 00737DA5 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,server), ref: 00737DB4
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,proxy), ref: 00737DCA
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 00737E11
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0072452C,?,?,?,?,?,0074A6D8), ref: 00737E32
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,?,?,?,?,?,0074A6D8), ref: 00737E8D

Strings

,Er, xrefs: 00737E23
(C) Copyright Microsoft Corp., xrefs: 00737EC7
BITSADMIN version 3.0, xrefs: 00737EAF
' is not a valid credential target. It must be 'proxy' or 'server'., xrefs: 00737DF3
is not a valid credential scheme.It must be one of the following: basic digest ntlm negotiate passport, xrefs: 00737E6F
proxy, xrefs: 00737DC4
server, xrefs: 00737DAE
BITS administration utility., xrefs: 00737EBB

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__wcsicmp$ExceptionThrow
String ID: ' is not a valid credential target. It must be 'proxy' or 'server'.$(C) Copyright Microsoft Corp.$,Er$BITS administration utility.$BITSADMIN version 3.0$is not a valid credential scheme.It must be one of the following: basic digest ntlm negotiate passport$proxy$server
API String ID: 1461274180-2437993357
Opcode ID: a762f7e02d4758f4e5434583091c87d6746a6e33165d801366ea637241f8a786
Instruction ID: a0ceaa16487bd81861accab8f393ad8a34c002148703894d10172ec359aa2834
Opcode Fuzzy Hash: a762f7e02d4758f4e5434583091c87d6746a6e33165d801366ea637241f8a786
Instruction Fuzzy Hash: B721FB61748224E7961873797C1FE6F229ECFC1B50B10402AB502E7296DFECCD0292D5

Function 007441BE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B798,?,0074B798,00000000,?), ref: 0074420C
WriteConsoleW.KERNELBASE(0074B798,007537A4,00000002,?,00000000,?,?,00000000), ref: 00744268
GetConsoleOutputCP.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B798,00000000,?), ref: 00744286
WideCharToMultiByte.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,007537A4,00000000,0074B7A4,00008000,00000000,00000000), ref: 007442A3
WriteFile.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B798,0074B7A4,00000000,?,00000000), ref: 007442C5
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 007442CF
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 007442DC
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744304
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 00744327

Strings

Unable to write to the output file, xrefs: 007442F0
Invalid argument: invalid name for system account., xrefs: 00744336

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorLast$Write$BufferByteCharExceptionFileInfoMultiOutputScreenThrowWide
String ID: Invalid argument: invalid name for system account.$Unable to write to the output file
API String ID: 1538383524-2801916279
Opcode ID: 308fb4f3c2a1036cb984b29400b2b8ca0ef6e1912ae0c7e84371cfa7f772df9b
Instruction ID: dbd91e06a452929bfeb1e57b80f0e81a07151c0e8f80fb31b16e1d9d2297a2c0
Opcode Fuzzy Hash: 308fb4f3c2a1036cb984b29400b2b8ca0ef6e1912ae0c7e84371cfa7f772df9b
Instruction Fuzzy Hash: E7417A71A00219BFEB14DB64CC49FBEB7A8FB89700F148219F506E6154DBA8AD44DBA0

Function 00744DA1 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(0000009C,0074B798,0074B798,?,007441E4,0074B798,00000000,?), ref: 00744DBF

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 48919a17b32fa9354f5b03d191f3df48c55ccb33ee07898fb68782f686b57418
Instruction ID: 1f0037681d5d1bfe0ebed54f5c10b20e465f6c688de9960db7c82f28c9063a98
Opcode Fuzzy Hash: 48919a17b32fa9354f5b03d191f3df48c55ccb33ee07898fb68782f686b57418
Instruction Fuzzy Hash: 75F0E93250D3C46AD7028B28AC197D63FC8D777309F4444A0D54242151E3DC8C45EB69

Non-executed Functions

Function 0074282B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 160timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0074B798,00000000), ref: 0074285F
GetSystemTimeAsFileTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0074B798,00000000), ref: 0074288D
_finite.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00000000), ref: 007428F7
_finite.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00000000), ref: 0074290C

Strings

TRANSFER RATE: , xrefs: 0074295E
TIME REMAINING: , xrefs: 00742A01

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Time$FileSystem_finite
String ID: TIME REMAINING: $TRANSFER RATE:
API String ID: 2026750613-2454852989
Opcode ID: a4f03277e7c3e0dd240b0101317b9fda3e629db21580b6f655ef50322c544a5c
Instruction ID: 90455029aade695501dd9f4e23403e6bd8a266434295a6d46d3e4fa694324d36
Opcode Fuzzy Hash: a4f03277e7c3e0dd240b0101317b9fda3e629db21580b6f655ef50322c544a5c
Instruction Fuzzy Hash: E4515E74608B06EFD708DF25D54856ABBE0FF88310F414A5DF8C592A51DB38E875CB86

Function 0074745B Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000017), ref: 00747469
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000003), ref: 0074748F
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000050), ref: 00747519
IsDebuggerPresent.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00747535
SetUnhandledExceptionFilter.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00747555
UnhandledExceptionFilter.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 0074755F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 09746d2525fed48951f4f21e4838bddcf9ff65b1443921e586908d7ecfa0c1e1
Instruction ID: e4e3af12aa83cff118520ebcf9153aafe7cad855db12d6ea7cfb5bf2d24f60a8
Opcode Fuzzy Hash: 09746d2525fed48951f4f21e4838bddcf9ff65b1443921e586908d7ecfa0c1e1
Instruction Fuzzy Hash: F231E675D4531C9BDB20DFA4D989BCDBBB8AF08300F1041AAE409AB250EB759A85CF45

Function 0073AC11 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0073AB8B: _o__stricmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,localsystem,?,?,?,0073AC3E,?,?,00000000,?), ref: 0073ABA3
Part of subcall function 0073AB8B: SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,?,?,?,0073AC3E,?,?,00000000,?), ref: 0073ABF8

AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000001,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0073AC55
ConvertSidToStringSidW.API-MS-WIN-SECURITY-SDDL-L1-1-0(?,?), ref: 0073AC66
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,00000000,?), ref: 0073AC70
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0073AC79

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$AllocateConvertInitializeString_o__stricmp
String ID:
API String ID: 4051132713-0
Opcode ID: d42f3ed18c80a91bb60b58025f6e010204f15e0379cc17d21a387bb122ad613a
Instruction ID: 436b42861cbf187ed6e19c3eb8d52d81da2c21747ab0e222758ba5a813261920
Opcode Fuzzy Hash: d42f3ed18c80a91bb60b58025f6e010204f15e0379cc17d21a387bb122ad613a
Instruction Fuzzy Hash: 47015E70A10309AFEB109FB5DC899AFB7BCFF04304B048829A952D2151DBB8DD008B64

Function 00746F07 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00747032,007210BC), ref: 00746F0E
UnhandledExceptionFilter.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00747032,?,00747032,007210BC), ref: 00746F17
GetCurrentProcess.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(C0000409,?,00747032,007210BC), ref: 00746F22
TerminateProcess.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00747032,007210BC), ref: 00746F29

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: f7e84800ebc52650a2ca762b9ef5c42b252775013a3822e31c69dac23ccbb659
Instruction ID: 4a6a101599e229c672b2f360986c86f453a1004dbc0f986c2542f7cb1628c69b
Opcode Fuzzy Hash: f7e84800ebc52650a2ca762b9ef5c42b252775013a3822e31c69dac23ccbb659
Instruction Fuzzy Hash: D9D0C932000308ABC7442BE1ED0CA4E3E28FB49712F048000F30B82020CBBA98018B99

Function 007372AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00735858,00000000,00000004,00735848,007557A4,00000000,0074625E,0000001C,00736D43,Pending file operations: None), ref: 007372D0

Strings

Unable to connect to BITS, xrefs: 007372D8

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: Unable to connect to BITS
API String ID: 542301482-3106224705
Opcode ID: 6cb7c9161b4350fe3e09b131b32746265dba25470fbcaf08c91a0ee523576d05
Instruction ID: 81dfb3714cff9303ee84c8058080189fcf2190781df12867897a9658fa396e17
Opcode Fuzzy Hash: 6cb7c9161b4350fe3e09b131b32746265dba25470fbcaf08c91a0ee523576d05
Instruction Fuzzy Hash: 71D0A7A4B81B24ABE6245204AC19BDA1542DBC8712F200438BA05691C38DFC08048A8C

Function 00736BB0 Relevance: 89.7, APIs: 22, Strings: 29, Instructions: 428
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/VERBOSE), ref: 00736BE5
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736C13
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 00736DB8
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,?,?,?,0074A6D8), ref: 00736DFA
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,TRUE,?,?,00000000), ref: 00736E31
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,FALSE,00000000), ref: 00736E44
GetProcAddress.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,EvtOpenChannelConfig,00000000), ref: 00736E77
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736E84
FreeLibrary.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 00736E8D
GetProcAddress.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,EvtGetChannelConfigProperty), ref: 00736EB9
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736EC6
FreeLibrary.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 00736ECF
GetProcAddress.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,EvtSetChannelConfigProperty), ref: 00736EF3
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736F00
GetProcAddress.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,EvtSaveChannelConfig), ref: 00736F26
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736F32
FreeLibrary.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 00736F3B
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736F9C
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00736FFA
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00737043
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,?,?,00000000), ref: 007370CC

Strings

Invalid argument., xrefs: 00736C3B, 00736D96, 00737098, 007370AC
EvtSetChannelConfigProperty, xrefs: 00736EED
Microsoft-Windows-Bits-Client/Analytic, xrefs: 00736F63
Error saving Microsoft-Windows-Bits-Client/Analytic channel config property, xrefs: 0073705A
Microsoft-Windows-Bits-Client/Analytic Channel already Disabled, xrefs: 00737091
Error Loading procedure EvtOpenChannelConfig, xrefs: 00736EA4
Error setting Microsoft-Windows-Bits-Client/Analytic channel config property, xrefs: 00737011
Microsoft-Windows-Bits-Client/Analytic Channel Disabled, xrefs: 0073706A, 0073706F
Error Loading procedure EvtSetChannelConfigProperty, xrefs: 00736F19
EvtSaveChannelConfig, xrefs: 00736F20
Pending file operations: None, xrefs: 00736D1D
SUCCESS - no BITS configuration errors were found!!, xrefs: 00736D81
Error Loading procedure EvtSaveChannelConfig, xrefs: 00736F52
ERROR - BITS configuration errors were found!! Error code , xrefs: 00736D75
Unable to load wevtapi.dll, xrefs: 00736E64
Error checking version., xrefs: 00736C04
TRUE, xrefs: 00736E2A
This command is no longer applicable on any supported version of the operating system., xrefs: 00736DD6
Version of BITS installed on the system: , xrefs: 00736C6F
Error Loading procedure EvtGetChannelConfigProperty, xrefs: 00736EE6
Unable to get Microsoft-Windows-Bits-Client/Analytic channel config property, xrefs: 00736FB3
FALSE, xrefs: 00736E3D
/VERBOSE, xrefs: 00736BDE
Checking BITS main COM interfaces... , xrefs: 00736D4C
Microsoft-Windows-Bits-Client/Analytic Channel already Enabled, xrefs: 00737080
File version for BITS binaries: , xrefs: 00736CCD
Microsoft-Windows-Bits-Client/Analytic Channel Enabled, xrefs: 00737061
EvtOpenChannelConfig, xrefs: 00736E71
EvtGetChannelConfigProperty, xrefs: 00736EB3

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$AddressProc$ExceptionFreeLibraryThrow_o__wcsicmp
String ID: Checking BITS main COM interfaces... $Pending file operations: None$SUCCESS - no BITS configuration errors were found!!$/VERBOSE$ERROR - BITS configuration errors were found!! Error code $Error Loading procedure EvtGetChannelConfigProperty$Error Loading procedure EvtOpenChannelConfig$Error Loading procedure EvtSaveChannelConfig$Error Loading procedure EvtSetChannelConfigProperty$Error checking version.$Error saving Microsoft-Windows-Bits-Client/Analytic channel config property$Error setting Microsoft-Windows-Bits-Client/Analytic channel config property$EvtGetChannelConfigProperty$EvtOpenChannelConfig$EvtSaveChannelConfig$EvtSetChannelConfigProperty$FALSE$File version for BITS binaries: $Invalid argument.$Microsoft-Windows-Bits-Client/Analytic$Microsoft-Windows-Bits-Client/Analytic Channel Disabled$Microsoft-Windows-Bits-Client/Analytic Channel Enabled$Microsoft-Windows-Bits-Client/Analytic Channel already Disabled$Microsoft-Windows-Bits-Client/Analytic Channel already Enabled$TRUE$This command is no longer applicable on any supported version of the operating system.$Unable to get Microsoft-Windows-Bits-Client/Analytic channel config property$Unable to load wevtapi.dll$Version of BITS installed on the system:
API String ID: 2161366900-3715204312
Opcode ID: 49bd02192689d72ec2c00b52932182c8a658d14741d3a2fc6867827180245a61
Instruction ID: 9745ae24c24eeec7a92d8b4a251da22ba0dcfe27b360a931d16a6e4165921489
Opcode Fuzzy Hash: 49bd02192689d72ec2c00b52932182c8a658d14741d3a2fc6867827180245a61
Instruction Fuzzy Hash: 5CC119B5B44321FBEB28AB64DC1976E7655EF80B00F10C129F542AB292DF7CCD0097A5

Function 00743A9A Relevance: 44.1, APIs: 4, Strings: 21, Instructions: 355
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00000000,00000002,007219A4,0074B798,00000000), ref: 00743AD4
CoCreateInstance.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00735858,00000000,00000004,00735848,?,The BITS service will be started if not already running.,Attempting to instantiate BITS main interface, IBackgroundCopyManager...), ref: 00743B3B
CoUninitialize.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0 ref: 00743E80
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00743E87

Strings

SUCCESS - IBackgroundCopyJobHttpOptions is correctly registered., xrefs: 00743CDF
Failed to query for BITS IBackgroundCopyJob3 interface (only available on BITS 2.0 and later versions), xrefs: 00743C0D
Failed to query for BITS IBackgroundCopyJob4 interface (only available on BITS 3.0 and later versions), xrefs: 00743C4F
SUCCESS - IBackgroundCopyJobHttpOptions3 is correctly registered., xrefs: 00743D63
Attempting to instantiate BITS main interface, IBackgroundCopyManager..., xrefs: 00743B12
SUCCESS - IBackgroundCopyJob2 is correctly registered., xrefs: 00743BD7
SUCCESS - IBackgroundCopyJob3 is correctly registered., xrefs: 00743C19
SUCCESS - IBackgroundCopyJob is correctly registered., xrefs: 00743B95
Failed to query for BITS IBackgroundCopyJobHttpOptions2 interface (only available on BITS 10.2 and later versions), xrefs: 00743D15
Failed to query for BITS IBackgroundCopyJob5 interface (only available on BITS 5.0 and later versions), xrefs: 00743C91
]ms, xrefs: 00743B73, 00743D6F, 00743BA1, 00743BE3, 00743C25, 00743C67, 00743CA9, 00743CEB, 00743D2D, 00743B76, 00743BB1, 00743BF3, 00743C35, 00743C77, 00743CB9, 00743CFB, 00743D3D, 00743D72
SUCCESS - IBackgroundCopyJobHttpOptions2 is correctly registered., xrefs: 00743D21
Failed to instantiate BITS IBackgroundCopyManager interface. The command /UTIL /REPAIRSERVICE might help diagnose or fix the issu, xrefs: 00743B50
Failed to query for BITS IBackgroundCopyJob2 interface (only available on BITS 1.5 and later versions), xrefs: 00743BCB
SUCCESS - IBackgroundCopyManager is correctly registered and can be instantiated., xrefs: 00743B5F
SUCCESS - IBackgroundCopyJob5 is correctly registered., xrefs: 00743C9D
Failed to query for BITS IBackgroundCopyJobHttpOptions interface (only available on BITS 2.5 and later versions), xrefs: 00743CD3
Failed to initialize COM. Error: %0X, xrefs: 00743AEC
The BITS service will be started if not already running., xrefs: 00743B1E
SUCCESS - IBackgroundCopyJob4 is correctly registered., xrefs: 00743C5B
Failed to query for BITS IBackgroundCopyJobHttpOptions3 interface (only available on BITS 10.3 and later versions), xrefs: 00743D57

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorInitializeInstanceLastUninitialize
String ID: Attempting to instantiate BITS main interface, IBackgroundCopyManager...$Failed to initialize COM. Error: %0X$Failed to instantiate BITS IBackgroundCopyManager interface. The command /UTIL /REPAIRSERVICE might help diagnose or fix the issu$Failed to query for BITS IBackgroundCopyJob2 interface (only available on BITS 1.5 and later versions)$Failed to query for BITS IBackgroundCopyJob3 interface (only available on BITS 2.0 and later versions)$Failed to query for BITS IBackgroundCopyJob4 interface (only available on BITS 3.0 and later versions)$Failed to query for BITS IBackgroundCopyJob5 interface (only available on BITS 5.0 and later versions)$Failed to query for BITS IBackgroundCopyJobHttpOptions interface (only available on BITS 2.5 and later versions)$Failed to query for BITS IBackgroundCopyJobHttpOptions2 interface (only available on BITS 10.2 and later versions)$Failed to query for BITS IBackgroundCopyJobHttpOptions3 interface (only available on BITS 10.3 and later versions)$SUCCESS - IBackgroundCopyJob is correctly registered.$SUCCESS - IBackgroundCopyJob2 is correctly registered.$SUCCESS - IBackgroundCopyJob3 is correctly registered.$SUCCESS - IBackgroundCopyJob4 is correctly registered.$SUCCESS - IBackgroundCopyJob5 is correctly registered.$SUCCESS - IBackgroundCopyJobHttpOptions is correctly registered.$SUCCESS - IBackgroundCopyJobHttpOptions2 is correctly registered.$SUCCESS - IBackgroundCopyJobHttpOptions3 is correctly registered.$SUCCESS - IBackgroundCopyManager is correctly registered and can be instantiated.$The BITS service will be started if not already running.$]ms
API String ID: 2713231385-338960803
Opcode ID: b110c725a06fc620976a69e21622f0dba1a006c2d639a4e267b2491b41d0315b
Instruction ID: f289d332b95b0475d5f0294369edaa18c4573cce9f5fc2a70643db67a8c1f654
Opcode Fuzzy Hash: b110c725a06fc620976a69e21622f0dba1a006c2d639a4e267b2491b41d0315b
Instruction Fuzzy Hash: D6C19274B00219DFDF08ABA8D8A997E77B5AF88704B04406DF506E73A2CFAC5D01DB95

Function 0073B34B Relevance: 43.9, APIs: 6, Strings: 19, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,FOREGROUND), ref: 0073B35A
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,HIGH), ref: 0073B36F
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,NORMAL), ref: 0073B384
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,LOW), ref: 0073B39B
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073B3CC
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,?,00000000,00000014,?,0074A6D8), ref: 0073B515

Strings

Invalid priority., xrefs: 0073B3AB
Unable to lookup job, xrefs: 0073B5E0
Use the job identifier instead of the job name., xrefs: 0073B707
jobs named ", xrefs: 0073B6E5
The job has only , xrefs: 0073B49D
unable to enumerate the job's files, xrefs: 0073B41B
HIGH, xrefs: 0073B369
Found , xrefs: 0073B6D1
The job has no files., xrefs: 0073B4F5
"., xrefs: 0073B6C1, 0073B6FB
NORMAL, xrefs: 0073B37E
unable to get the file count, xrefs: 0073B43E
file., xrefs: 0073B4C9
unable to locate the file in the job., xrefs: 0073B4D9
LOW, xrefs: 0073B395
Unable to find job named ", xrefs: 0073B6A8
files., xrefs: 0073B4BD
FOREGROUND, xrefs: 0073B354
unable to locate the file in the job, xrefs: 0073B46A

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__wcsicmp$ExceptionThrow
String ID: file.$ files.$ jobs named "$".$FOREGROUND$Found $HIGH$Invalid priority.$LOW$NORMAL$The job has no files.$The job has only $Unable to find job named "$Unable to lookup job$Use the job identifier instead of the job name.$unable to enumerate the job's files$unable to get the file count$unable to locate the file in the job$unable to locate the file in the job.
API String ID: 1461274180-215028838
Opcode ID: 667273b3925d52351b1e4f7cb62af8a4f3d6e91a9bccfc372b5b08161b370c74
Instruction ID: 1ba2f8e5f5e00f590f8bb84af567d0e3e6157c884c6a6e808620315b562b0c59
Opcode Fuzzy Hash: 667273b3925d52351b1e4f7cb62af8a4f3d6e91a9bccfc372b5b08161b370c74
Instruction Fuzzy Hash: 07419471B00225EFDB09EB64EC1ABAE72A5EF59710F204429F106E7292DFBC9D018795

Function 00742291 Relevance: 38.9, APIs: 4, Strings: 18, Instructions: 418
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000401,00000000,00000000), ref: 00742608
EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0000001C,0074201D), ref: 0074261E
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 0074266B

Part of subcall function 00737279: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073729F

Part of subcall function 007450E8: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,0074B798,?,?,?,?,?,?,?,?), ref: 00745102
Part of subcall function 007450E8: GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00745118
Part of subcall function 007450E8: FillConsoleOutputCharacterW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000020,00740700,?,?,?,?,?,?,?,?,?,?), ref: 00745143
Part of subcall function 007450E8: FillConsoleOutputAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00740700,?,?,?,?,?,?,?,?,?,?), ref: 0074515E
Part of subcall function 007450E8: SetConsoleCursorPosition.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00745171
Part of subcall function 007450E8: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,?,?,?,?,?), ref: 0074517C

Part of subcall function 0074523C: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A01,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ,0000001C,00736D43,Pending file operations: None), ref: 0074525A
Part of subcall function 0074523C: SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0074526F
Part of subcall function 0074523C: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 00745276

Part of subcall function 00745289: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A17,?,?,00000000,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ), ref: 007452A7
Part of subcall function 00745289: SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007452BB
Part of subcall function 00745289: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 007452C2

GetCurrentThreadId.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007427FB

Strings

PRIORITY: , xrefs: 00742424
Unable to get display name, xrefs: 00742366
DISPLAY: ', xrefs: 00742386
Unable to get job type, xrefs: 007422ED
TYPE: , xrefs: 007423C0
Unable to get job priority, xrefs: 00742333
Unable to get job progress, xrefs: 00742310
Transfer complete., xrefs: 007426A4
Unable to get error code, xrefs: 00742790
UNKNOWN, xrefs: 007424D9, 0074257C
Unable to get job error, xrefs: 007426F9, 00742769
BYTES: , xrefs: 0074249C
Transfer canceled., xrefs: 007425EF
FILES: , xrefs: 00742450
Unable to complete transfer., xrefs: 007427D8
STATE: , xrefs: 007423EC
/ , xrefs: 00742474, 00742479, 007424BF
Unable to complete job, xrefs: 00742651

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Console$EnterLeave$Attribute$CurrentFillOutputTextThread$BufferCharacterCursorExceptionInfoPositionScreenThrow
String ID: / $ BYTES: $ FILES: $ STATE: $ TYPE: $DISPLAY: '$PRIORITY: $Transfer canceled.$Transfer complete.$UNKNOWN$Unable to complete job$Unable to complete transfer.$Unable to get display name$Unable to get error code$Unable to get job error$Unable to get job priority$Unable to get job progress$Unable to get job type
API String ID: 2433330-4121774604
Opcode ID: 004118ea4bb8d4711f6d7ccc7f525498ecd71c987067f2e536ba777a7d95603d
Instruction ID: 7c81c844bc2843d1eb48cc4f747a2580de7137998fb6eb74022c15e5c6dc50d7
Opcode Fuzzy Hash: 004118ea4bb8d4711f6d7ccc7f525498ecd71c987067f2e536ba777a7d95603d
Instruction Fuzzy Hash: 86E1A174B00215DBDF19ABA0C8597BE7BA2AF88310F144159F901AB3A3CF7C9C52DB95

Function 0073BD0E Relevance: 31.8, APIs: 1, Strings: 17, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0073BD15

Part of subcall function 00737279: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073729F

Strings

Unable to enum files in job, xrefs: 0073BD45
Unable to get file progress, xrefs: 0073BE87
Unable to get file URL, xrefs: 0073BE93
offset , xrefs: 0073C058
Unable to get local file name, xrefs: 0073BE9F
UNKNOWN, xrefs: 0073BFBF
-> , xrefs: 0073BFF3
to eof, xrefs: 0073C097, 0073C0AC
Unable to get file progress, xrefs: 0073BDC4
COMPLETED, xrefs: 0073BF80
, length , xrefs: 0073C075
Unable to get file URL, xrefs: 0073BDF7
/ , xrefs: 0073BF99
unable to get file ranges, xrefs: 0073BEE7, 0073BF0A
Unable to get local file name, xrefs: 0073BE2A
Ranges:, xrefs: 0073C031
WORKING, xrefs: 0073BF87, 0073BFD5

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionH_prolog3_catch_Throw
String ID: offset $ -> $ / $, length $COMPLETED$Ranges:$UNKNOWN$Unable to enum files in job$Unable to get file URL$Unable to get file URL$Unable to get file progress$Unable to get file progress$Unable to get local file name$Unable to get local file name$WORKING$to eof$unable to get file ranges
API String ID: 3398958772-3944514534
Opcode ID: fb31f2c17c1c3779681e969634feeea5f4f52e58cf5c9b4b83fe7d288b765be2
Instruction ID: 4bd8a88c681245d815e93ca68d31d94195e6f3e6d408bbf94d3b3e2280474d9e
Opcode Fuzzy Hash: fb31f2c17c1c3779681e969634feeea5f4f52e58cf5c9b4b83fe7d288b765be2
Instruction Fuzzy Hash: D2A17D70A04218EBEF28EBA4DC59BADBBB1AF48314F154169F502B72A3CB7C5D05DB41

Function 00740530 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/VERBOSE), ref: 0074055D
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/ALLUSERS), ref: 00740578
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 00740619
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 00740678
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/ALLUSERS), ref: 007406AC
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/REFRESH), ref: 007406C7
SleepEx.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000001, second refresh),00000005,00000000,MONITORING BACKGROUND COPY MANAGER(), ref: 00740736

Strings

Invalid argument., xrefs: 007405F7, 00740769
job(s)., xrefs: 007405BF
second refresh), xrefs: 00740716
Listed , xrefs: 007405A9
/VERBOSE, xrefs: 00740555
/MONITOR will only work with the console., xrefs: 00740656
/ALLUSERS, xrefs: 00740570, 007406A4
MONITORING BACKGROUND COPY MANAGER(, xrefs: 00740700
/REFRESH is missing the refresh rate., xrefs: 00740743
/REFRESH, xrefs: 007406BF
Invalid number of arguments., xrefs: 007405D4, 0074078F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__wcsicmp$ExceptionThrow$Sleep
String ID: job(s).$ second refresh)$/ALLUSERS$/MONITOR will only work with the console.$/REFRESH$/REFRESH is missing the refresh rate.$/VERBOSE$Invalid argument.$Invalid number of arguments.$Listed $MONITORING BACKGROUND COPY MANAGER(
API String ID: 582433157-1443613933
Opcode ID: fefc0ea0ec23b87d3f5a57f08357fb453e7bda4ed89bb9f70a35783b099452d5
Instruction ID: 113ba637c34d70404a949ec5bd3294f9f994067c0ada203107018a32ea235ebd
Opcode Fuzzy Hash: fefc0ea0ec23b87d3f5a57f08357fb453e7bda4ed89bb9f70a35783b099452d5
Instruction Fuzzy Hash: 44510471244301EBEB24AB389C6AF6E26859BD2B50F114029F6426B2D3DF7CDC1597D3

Function 0074393E Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0(00000000,ServicesActive,80000000,00000000,0074B798,00000000,?,?,00743D97), ref: 0074396D
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,00743D97), ref: 0074397A
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00743D97), ref: 00743A83

Strings

BITS, xrefs: 007439A3
Failed to get the status of the BITS service, xrefs: 00743A42
ServicesActive, xrefs: 00743966
Failed to find BITS service, xrefs: 007439CE
Failed to open the service controller to check for the BITS service, xrefs: 00743993

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$ManagerOpen
String ID: BITS$Failed to find BITS service$Failed to get the status of the BITS service$Failed to open the service controller to check for the BITS service$ServicesActive
API String ID: 239337868-1127546326
Opcode ID: 95158898a7f0f45a789ba8857dba43803862594a0afbcb8a209adc39c3aab5c8
Instruction ID: d05feed3d019f3e3849748386c9f2ff246c732b8395f07f071b7dccbde64b646
Opcode Fuzzy Hash: 95158898a7f0f45a789ba8857dba43803862594a0afbcb8a209adc39c3aab5c8
Instruction Fuzzy Hash: D131C772B80322AFE7159B658C5CB2F7669BF44715F20C129F88AD6250EBBCDE009694

Function 00744ED0 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 00744EDA
GetStdHandle.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000F6,0074B75C), ref: 00744EF5
GetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00744EFC
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744F06
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744F3D
GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0000009C,0074B77C), ref: 00744F64
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744F73
GetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B760), ref: 00744F96
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744FA0
EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 00744FC0
SetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00744FE4
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744FEE
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 0074500A

Strings

Unable set console mode, xrefs: 00744FFF
Unable to get console handle, xrefs: 00744F4E
Unable get setup console information, xrefs: 00744F6A
Unable to get console input mode, xrefs: 00744F17

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Console$CriticalModeSection$BufferEnterHandleInfoInitializeLeaveScreen
String ID: Unable get setup console information$Unable set console mode$Unable to get console handle$Unable to get console input mode
API String ID: 3323174715-3247012241
Opcode ID: 435936adba2229119bf62d1e815713c50f0cb983cd05a5a02702e8d20d9a14f2
Instruction ID: a79dd78287651b350306f5fc247e1c2dcc160aca89cee1af09eb2f8f6dbc4678
Opcode Fuzzy Hash: 435936adba2229119bf62d1e815713c50f0cb983cd05a5a02702e8d20d9a14f2
Instruction Fuzzy Hash: B531E4347002609BD7156B79AD4D77B3BD9EF86711B14882AF502D22A2DBACCC05A7A4

Function 00744686 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 335memoryCOMMON

Download Yara Rule

APIs

_o_wcstol.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000A,?,?,00000001), ref: 00744713
wcschr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002D), ref: 00744744
_o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00744776
_o_iswxdigit.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000), ref: 0074482E
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,?), ref: 007448A7
_o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000002,?,?), ref: 007448F8
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00744923
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000008,00000058,?), ref: 00744965
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 0074497A
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000539), ref: 0074498E
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000539), ref: 007449C6
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 007449D1
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007449DC
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000539,?,?,00000001), ref: 007449EE
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000057,?,?,00000001), ref: 007449F6

Strings

X, xrefs: 007446E3

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Local$AllocFree_o_wcstoul$_o_iswxdigit_o_wcstolmemcpywcschr
String ID: X
API String ID: 2539269294-3081909835
Opcode ID: 04315b343f12292bb625f4846e96a283ad372a8636d046dd594d1c6cb0ce616b
Instruction ID: 393dd988d9ec1e52e01c56ecec337b4c6755be9cd89bfa7ba247ea651e71cbd8
Opcode Fuzzy Hash: 04315b343f12292bb625f4846e96a283ad372a8636d046dd594d1c6cb0ce616b
Instruction Fuzzy Hash: B8B10A75D00359AFDB249FA4D8457BEB7B4FF09710F24C41AE581AB280E3789D82EB94

Function 0073837B Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 263COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00738382

Part of subcall function 00737279: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073729F

Part of subcall function 0074523C: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A01,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ,0000001C,00736D43,Pending file operations: None), ref: 0074525A
Part of subcall function 0074523C: SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0074526F
Part of subcall function 0074523C: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 00745276

Part of subcall function 00745289: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A17,?,?,00000000,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ), ref: 007452A7
Part of subcall function 00745289: SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007452BB
Part of subcall function 00745289: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 007452C2

Part of subcall function 007443CE: StringFromGUID2.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000028,0074B798), ref: 007443EA

Part of subcall function 0074443B: __EH_prolog3_GS.LIBCMT ref: 00744442

Part of subcall function 0074443B: FileTimeToLocalFileTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,0000002C,?,0074A6D8), ref: 00744468
Part of subcall function 0074443B: FileTimeToSystemTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,0000002C,?,0074A6D8), ref: 00744476
Part of subcall function 0074443B: GetDateFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 00744489
Part of subcall function 0074443B: GetDateFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 007444CC
Part of subcall function 0074443B: GetTimeFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 007444E7
Part of subcall function 0074443B: GetTimeFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,?,?,?,0000002C,?,0074A6D8), ref: 00744522

Strings

Unable to get record remote Name, xrefs: 00738450
FILE MODIFICATION TIME: , xrefs: 0073859B
ORIGIN URL: , xrefs: 007384E8
Unable to get access time, xrefs: 007383D7
Unable to get file size, xrefs: 0073841D
ID: , xrefs: 007384B0
LAST ACCESS TIME: , xrefs: 00738567
RANGES: , xrefs: 00738606
Unable to get record ID, xrefs: 007383B0
Unable to get file ranges, xrefs: 00738477
FILE SIZE: , xrefs: 007385CF
Unable to get file modification time, xrefs: 007383FA
VALIDATED: , xrefs: 00738522

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Time$CriticalFormatSection$File$AttributeConsoleDateEnterH_prolog3_LeaveText$ExceptionFromLocalStringSystemThrow
String ID: FILE MODIFICATION TIME: $FILE SIZE: $ID: $LAST ACCESS TIME: $ORIGIN URL: $RANGES: $Unable to get access time$Unable to get file modification time$Unable to get file ranges$Unable to get file size$Unable to get record ID$Unable to get record remote Name$VALIDATED:
API String ID: 3321430433-2504727046
Opcode ID: 050ee63c70c561a7a7f5b472c95840b5f301371981c11c6d6283735578aa15fa
Instruction ID: d82e01430dcb1b422e840187eb094e85e372ea31c098b33d71e30424ec431d89
Opcode Fuzzy Hash: 050ee63c70c561a7a7f5b472c95840b5f301371981c11c6d6283735578aa15fa
Instruction Fuzzy Hash: C9918D70B00224DFCF49ABB4D85A9AD7BB2AF88710B044169F506B73A3DF7C5C529B94

Function 00742D1C Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 270threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,007219A4,?,?, PROXY BYPASS LIST: ,?,?,?, PROXY LIST: ,?,?,PROXY USAGE: ,?,007219A4,?,00000000), ref: 00742E98

Part of subcall function 00737152: __EH_prolog3_GS.LIBCMT ref: 00737159
Part of subcall function 00737152: GetThreadLocale.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(007219A4,?, - ), ref: 007371E5

Part of subcall function 00745289: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A17,?,?,00000000,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ), ref: 007452A7
Part of subcall function 00745289: SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007452BB
Part of subcall function 00745289: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 007452C2

Strings

-> , xrefs: 00742E37
Unable to get error URL, xrefs: 00742D8F
Unable to get error URL, xrefs: 00742DE5
ERROR CODE: , xrefs: 00742F6B
Unable to get error code, xrefs: 00742E82
Unable to get error file, xrefs: 00742DD9
Unable to get error file name, xrefs: 00742DF1
ERROR FILE: , xrefs: 00742E15
Unable to get error file name, xrefs: 00742DC1
- , xrefs: 00742F99, 00742FF0
ERROR CONTEXT: , xrefs: 00742FC0

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalLocaleSectionThread$AttributeConsoleEnterH_prolog3_LeaveText
String ID: - $ -> $ERROR CODE: $ERROR CONTEXT: $ERROR FILE: $Unable to get error URL$Unable to get error URL$Unable to get error code$Unable to get error file$Unable to get error file name$Unable to get error file name
API String ID: 1508005478-3885720230
Opcode ID: a12cdca7e2c1bc84b29db6294cec8cde37bcb0becfe55555f04c86ca15c2622a
Instruction ID: 22b885e3505f88a428ed831de265386a922e75d914648bf218f894ab2f095ede
Opcode Fuzzy Hash: a12cdca7e2c1bc84b29db6294cec8cde37bcb0becfe55555f04c86ca15c2622a
Instruction Fuzzy Hash: D691B170E00219DBCF19AFA4C849ABEBBB2BF48310F514119F506B72A2CB7D5D12DB95

Function 0073A91E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 124registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections,00000000,00020019,?,00000000), ref: 0073A971
RegQueryInfoKeyW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0073A99F
RegEnumValueA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0073A9E3
CompareStringA.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000409,00000001,?,000000FF,DefaultConnectionSettings,000000FF), ref: 0073AA08
CompareStringA.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000409,00000001,?,000000FF,SavedLegacySettings,000000FF), ref: 0073AA2A
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 0073AA4A
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?), ref: 0073AA6A
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 0073AA93
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0073AAA0

Strings

DefaultConnectionSettings, xrefs: 0073A9F3
SavedLegacySettings, xrefs: 0073AA15
Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections, xrefs: 0073A953

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CompareString$CloseEnumInfoOpenQueryValue
String ID: DefaultConnectionSettings$SavedLegacySettings$Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
API String ID: 130050147-4047373821
Opcode ID: 42a9f0df66afa805d6a1f31c3f60e16d5c02679c4c75a988c4a9b040de3d26cd
Instruction ID: 7e97f58af8f67b8658b90949bf4bada1642c8e34cb3c4df188fa2ccbf709d5bc
Opcode Fuzzy Hash: 42a9f0df66afa805d6a1f31c3f60e16d5c02679c4c75a988c4a9b040de3d26cd
Instruction Fuzzy Hash: 4D4174F190022CAFEB208F54CD85BEAB77CEB04354F0081A9E346B2191D7745E85CF68

Function 00736118 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 77COMMON

Download Yara Rule

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,localsystem), ref: 00736127
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,networkservice), ref: 00736139
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,localservice), ref: 0073614B
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073617B

Strings

AUTOSCRIPT , xrefs: 007361CF
AUTODETECT , xrefs: 007361AD
localservice, xrefs: 00736145
Invalid argument: invalid name for system account., xrefs: 0073615A
MANUAL_PROXY , xrefs: 007361BE
localsystem, xrefs: 00736121
NO_PROXY, xrefs: 00736191
networkservice, xrefs: 00736133

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__wcsicmp$ExceptionThrow
String ID: AUTODETECT $AUTOSCRIPT $Invalid argument: invalid name for system account.$MANUAL_PROXY $NO_PROXY$localservice$localsystem$networkservice
API String ID: 1461274180-3405110261
Opcode ID: c7b574c46f4ff8dace06f976e0f2dc470026f0e0e0fb1d43fa558fedaa4cc508
Instruction ID: 4466f9a1b760baf0c495c0840b466ec22b1463da3d2536faced64fee3de21ac9
Opcode Fuzzy Hash: c7b574c46f4ff8dace06f976e0f2dc470026f0e0e0fb1d43fa558fedaa4cc508
Instruction Fuzzy Hash: C011DBB2380324B7F7192268AC1FBAE1249CFC1B61F554019FA02A31D7DFDCCD025299

Function 00737AEA Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 137COMMON

Download Yara Rule

APIs

_o_wcstok.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,007243F8,00000000), ref: 00737B52
_fwprintf_s.LIBCMT ref: 00737B83
_fwprintf_s.LIBCMT ref: 00737BB9
_o_wcstok.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,007243F8,00000000), ref: 00737BF7
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00000000), ref: 00737C4F

Strings

f, xrefs: 00737BD4
' is not a valid range., xrefs: 00737C42
o, xrefs: 00737BCD
%I64u:%I64u, xrefs: 00737B7D
e, xrefs: 00737BC6
%I64u:%3c, xrefs: 00737BB1

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _fwprintf_s_o_wcstok$FreeTask
String ID: %I64u:%3c$%I64u:%I64u$' is not a valid range.$e$f$o
API String ID: 3745326893-860737144
Opcode ID: 0a39d5f60adc131679b32ed71f5382fa6a627549b728de053891f2050731ebd3
Instruction ID: 105c5d9ef4bb5e4c3b9a223bf6435ab0db369e829369f66cc9a417ece3138000
Opcode Fuzzy Hash: 0a39d5f60adc131679b32ed71f5382fa6a627549b728de053891f2050731ebd3
Instruction Fuzzy Hash: 1B41C5B0E002199BDF28DF68C8455BEB7F5EF58310F10855DE456E7291D7788D41CB60

Function 00745E41 Relevance: 18.1, APIs: 5, Strings: 7, Instructions: 140COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,007219A4,0074B798,00000000), ref: 00745E6B
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,007219A4,0074B798,00000000), ref: 00745E7C
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,007219A4,0074B798,00000000), ref: 00745EC9
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,007219A4,?,?,?,?,?,?,?,007219A4,0074B798,00000000), ref: 00745FDF

Part of subcall function 00739377: __EH_prolog3_catch_GS.LIBCMT ref: 00739381
Part of subcall function 00739377: SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00739BBB

GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,007219A4,?,?,?,?,?,?,?,007219A4,0074B798,00000000), ref: 00745F23

Strings

Yes, xrefs: 00745E95
No, xrefs: 00745E9E, 00745EA3
BITS secondary service DLL path: , xrefs: 00745EAB
File version for , xrefs: 00745F45
: , xrefs: 00745F5F
Is BITS secondary service DLL active: , xrefs: 00745E8B
N/A, xrefs: 00745EE3

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$memset$H_prolog3_catch_
String ID: : $BITS secondary service DLL path: $File version for $Is BITS secondary service DLL active: $N/A$No$Yes
API String ID: 773729580-1419519819
Opcode ID: 33dbced97ede246d1f2fa660ee21e2acab400725c106aefc20ea5e29d2736e1a
Instruction ID: ceb0f11180003c044bec80defcd6d8dd4711ca1b3c07e4dbcbdf35eda3d84e45
Opcode Fuzzy Hash: 33dbced97ede246d1f2fa660ee21e2acab400725c106aefc20ea5e29d2736e1a
Instruction Fuzzy Hash: 69410BE1B00224EBDB2477758C9AABE72AD9FC4700F4105B9B906D3293DF3CCE499694

Function 0073B7DB Relevance: 18.0, APIs: 1, Strings: 11, Instructions: 33COMMON

Download Yara Rule

APIs

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073B81E

Part of subcall function 0073B731: __EH_prolog3_GS.LIBCMT ref: 0073B738
Part of subcall function 0073B731: CLSIDFromString.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,0000001C,?,0074A6D8,?,0074A6D8,?,00000000,00000014,?,0074A6D8), ref: 0073B75C

Strings

-> , xrefs: 0073BA37
Invalid argument., xrefs: 0073B99D
/UPLOAD-REPLY, xrefs: 0073B8B2
Unable to add file to job, xrefs: 0073BA12
/DOWNLOAD, xrefs: 0073B8CE
Added , xrefs: 0073BA21
Unable to create group, xrefs: 0073B92B
Created job , xrefs: 0073B95B
to job., xrefs: 0073BA4D
/UPLOAD, xrefs: 0073B897
Invalid number of arguments., xrefs: 0073B7FD

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFromH_prolog3_StringThrow
String ID: -> $ to job.$/DOWNLOAD$/UPLOAD$/UPLOAD-REPLY$Added $Created job $Invalid argument.$Invalid number of arguments.$Unable to add file to job$Unable to create group
API String ID: 1553815116-2982187091
Opcode ID: 017ef7743cc3e0f899da96bcd474f9f712c9cfa61d561e8e5ffadc325b696066
Instruction ID: ade13dd4d964cc77e8253f8c30f6e3a56427061e5e72f0920bbd0f0bf44921a3
Opcode Fuzzy Hash: 017ef7743cc3e0f899da96bcd474f9f712c9cfa61d561e8e5ffadc325b696066
Instruction Fuzzy Hash: 23E0DFB0700118BBDB04EA68C80BC9E7359CBC1750F20803AB601AB24ACFBCEE0183D1

Function 00739BDB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00000001,?,007219A4,0074B798,00000000), ref: 00739C09
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PendingFileRenameOperations,00000000,00000000,00000000,?), ref: 00739C26

Part of subcall function 00744BAA: CoTaskMemAlloc.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,00000000,00000000,00739C3C), ref: 00744BB1

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?), ref: 00739C4F
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PendingFileRenameOperations,00000000,00000000,00000000,?), ref: 00739C66
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00739D01
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00000000), ref: 00739D0C
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00739D13

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00739BF7
PendingFileRenameOperations, xrefs: 00739C1E, 00739C5E

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: QueryTaskValue$AllocCloseErrorFreeLastOpenmemset
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
API String ID: 2749012242-3057196482
Opcode ID: 4e702bc38ac00e03489489d6dfaff62f42f664dcfca56e1a7ee8165cec90b47b
Instruction ID: 44bc9affd2613cadeea55a5690e71de785a5385a8d5ecd66457a3b16a27515f8
Opcode Fuzzy Hash: 4e702bc38ac00e03489489d6dfaff62f42f664dcfca56e1a7ee8165cec90b47b
Instruction Fuzzy Hash: B741F535A00215ABDB259F78CCC5AEFBBB9FF41781F148168E50396201E7B99E05DBA0

Function 0074443B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00744442
FileTimeToLocalFileTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,0000002C,?,0074A6D8), ref: 00744468
FileTimeToSystemTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,0000002C,?,0074A6D8), ref: 00744476
GetDateFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 00744489
GetDateFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 007444CC
GetTimeFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,00000000,?,?,0000002C,?,0074A6D8), ref: 007444E7
GetTimeFormatW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000400,00000000,?,00000000,00000000,?,?,?,0000002C,?,0074A6D8), ref: 00744522

Strings

ERROR, xrefs: 00744495, 0074452C, 00744549, 00744563
UNKNOWN, xrefs: 00744454

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Time$Format$File$Date$H_prolog3_LocalSystem
String ID: ERROR$UNKNOWN
API String ID: 3774243485-509746078
Opcode ID: 9780285ce872710302da096f9d336cbedfde1a5b5b7b9ebbfd928e1485197c87
Instruction ID: d14848129b4e79c2f118ce46580fa87e97c716333e9d57c5899f7fbbdb7c7a87
Opcode Fuzzy Hash: 9780285ce872710302da096f9d336cbedfde1a5b5b7b9ebbfd928e1485197c87
Instruction Fuzzy Hash: 9E31A6F1744309FFEF159AA49C86FBE726CDB44744F108029F706EA1D1DBAC8D019664

Function 007450E8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,0074B798,?,?,?,?,?,?,?,?), ref: 00745102
GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00745118
FillConsoleOutputCharacterW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000020,00740700,?,?,?,?,?,?,?,?,?,?), ref: 00745143
FillConsoleOutputAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00740700,?,?,?,?,?,?,?,?,?,?), ref: 0074515E
SetConsoleCursorPosition.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00745171
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,?,?,?,?,?), ref: 0074517C
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,?,?,?,?,?), ref: 00745185
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,?,?), ref: 0074518B

Strings

Unable to move to line, xrefs: 0074519F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Console$CriticalSection$FillLeaveOutput$AttributeBufferCharacterCursorEnterErrorInfoLastPositionScreen
String ID: Unable to move to line
API String ID: 2528354083-1525019594
Opcode ID: 6e07875782935ea30a0cb524774b153acd15992db5686ce3a3caa242e7607a6c
Instruction ID: c606d44a0601c6095255ea108cadf0f49523302087fdcc26ebd1dc604565ff82
Opcode Fuzzy Hash: 6e07875782935ea30a0cb524774b153acd15992db5686ce3a3caa242e7607a6c
Instruction Fuzzy Hash: EA214D31A00219AFDB159FA1DD48ABF7BB9FF4A700B10842AE406E5160DB6DCD01DBA5

Function 0073A66C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00020019,?,?,DefaultConnectionSettings), ref: 0073A69B
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(DefaultConnectionSettings), ref: 0073A6A5
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0073A6AE
RegQueryValueExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,ProxySettingsPerUser,00000000,?,?,?,00000000,?,DefaultConnectionSettings), ref: 0073A6D0
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,DefaultConnectionSettings), ref: 0073A6DB
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,DefaultConnectionSettings), ref: 0073A6F6

Strings

DefaultConnectionSettings, xrefs: 0073A674
ProxySettingsPerUser, xrefs: 0073A6C8
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0073A68B

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseOpenQueryValue
String ID: DefaultConnectionSettings$ProxySettingsPerUser$SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
API String ID: 772312138-2532985428
Opcode ID: 272b659034b2da8168d709fdf3188638d628c2fc00b6613785625f43bb57d6ec
Instruction ID: 5b62212f7aabfce2f512dc339496ec1e54c85e9b79bd05960a67c4d4c58f69e1
Opcode Fuzzy Hash: 272b659034b2da8168d709fdf3188638d628c2fc00b6613785625f43bb57d6ec
Instruction Fuzzy Hash: AB118272D40218FFEB119F91DC4AEAFBBBCEF84741F148466E552E2101D7B84A01DB95

Function 0074611D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeExW.API-MS-WIN-CORE-VERSION-L1-1-0(00000002,?,?,00000010,00000000,00000000,?,00745DA0,?), ref: 0074614D
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00745DA0,?,?,?,?,?,?,?,?,?,?,?,?,0074B798,00000000), ref: 0074615A
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,00000010,00000000,00000000,?,00745DA0,?), ref: 007461CD

Strings

\VarFileInfo\Translation, xrefs: 0074619D

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FileInfoSizeVersion
String ID: \VarFileInfo\Translation
API String ID: 2520436826-675650646
Opcode ID: 90026d03052900b00eb9ce9340d98d06977667cf6dc2ed3658e335470dd47fb3
Instruction ID: e4e3431ab6c78b29de18895beac2eaa86c6b7a71b796a3377baa70e6f062d968
Opcode Fuzzy Hash: 90026d03052900b00eb9ce9340d98d06977667cf6dc2ed3658e335470dd47fb3
Instruction Fuzzy Hash: 8221C675A00329ABD7115BA4DC48ABF7B7CEF46B50F10802AF902E7241D7B88D00D7E5

Function 007433F0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 69COMMON

Download Yara Rule

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,/VERBOSE), ref: 00743412
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0074349E

Strings

Invalid argument., xrefs: 0074347D
Listed , xrefs: 00743447
/VERBOSE, xrefs: 0074340A
Peercaching client is not enabled., xrefs: 00743476
peer(s)., xrefs: 0074345D
Invalid number of arguments., xrefs: 0074346F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_o__wcsicmp
String ID: peer(s).$/VERBOSE$Invalid argument.$Invalid number of arguments.$Listed $Peercaching client is not enabled.
API String ID: 2727266494-2441435057
Opcode ID: 0602b842cffab754e6d2dd7180e95a3d0911f9d4f6eca7e78b2c66618d85ccb7
Instruction ID: 6dcf54c99d0bd4be347689c53d45fce408ad048a59232722d8abb2c4d9a1ced6
Opcode Fuzzy Hash: 0602b842cffab754e6d2dd7180e95a3d0911f9d4f6eca7e78b2c66618d85ccb7
Instruction Fuzzy Hash: 12016B61340254E7DB26367C9C4BABE2746DBC1760F204026F4496B282CFBCCF0283A1

Function 00745CAB Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 114COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,0074B798,00000000), ref: 00745CD4
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000410,?,00000000,0000020A,?,0074B798,00000000), ref: 00745CE6
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,?,?,?,0074B798,00000000), ref: 00745E1F

Strings

%-40s %d.%d.%d.%-4d %d, xrefs: 00745DD3
version, xrefs: 00745D12
langId, xrefs: 00745D0D
file path, xrefs: 00745D17
%-40s %-9s %s, xrefs: 00745D1C

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: memset$ErrorLast
String ID: %-40s %-9s %s$%-40s %d.%d.%d.%-4d %d$file path$langId$version
API String ID: 2570506013-3335669471
Opcode ID: 263e7a963eaee01f1a47076fe7e5b7392d86bab5ed51e0017e95ecdb743e27e5
Instruction ID: d188b8f1ddb3c52fd3ab507b828bdf60fea97a9525252d8fa461a7b8fbcf228a
Opcode Fuzzy Hash: 263e7a963eaee01f1a47076fe7e5b7392d86bab5ed51e0017e95ecdb743e27e5
Instruction Fuzzy Hash: 724196B1A41629EBDB64D764CC89AEA73A99F48710F0001E1F909D7142EF3DDF94CBA0

Function 0073A460 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 179synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0073A642
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0073A649

Strings

DefaultConnectionSettings, xrefs: 0073A4B8, 0073A4EF, 0073A506
<, xrefs: 0073A52F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastMutexRelease
String ID: <$DefaultConnectionSettings
API String ID: 1973045865-3499525693
Opcode ID: 5c8473dd36c648f911cafa4c1d8d269abc5e2083fb3145995e8b7a0af3048975
Instruction ID: 3945db09a3abf9c1867b88496e8092a828c17f1fec8b0649e8adcbb97cf11590
Opcode Fuzzy Hash: 5c8473dd36c648f911cafa4c1d8d269abc5e2083fb3145995e8b7a0af3048975
Instruction Fuzzy Hash: 0E51BBB190121AFBEB15DF94D98BAEEB77CBF04300F144116F542A6092EB78DE54CB92

Function 0073749F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?), ref: 007374ED
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073755C
_o_getc.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00737592
_o_ungetc.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000), ref: 00737605

Strings

warning: quoted string in line , xrefs: 007375DC
out of memory, xrefs: 0073753B
has no closing quote, xrefs: 007375F2

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_o_getc_o_ungetcmemcpy
String ID: has no closing quote$out of memory$warning: quoted string in line
API String ID: 1671251836-1880072796
Opcode ID: dc5c250b927142a1c4f7d805ed0f42fd5eed523e74b8eb53e883a132ec50253a
Instruction ID: c1993d45377625bdba983fae3cd420efb5a0ea1259a222a7bccd181b047e1a7b
Opcode Fuzzy Hash: dc5c250b927142a1c4f7d805ed0f42fd5eed523e74b8eb53e883a132ec50253a
Instruction Fuzzy Hash: 1B4128B1208305EBE72CDF28D845AAEB7A4EF85320F24452AF45597292EB789D14C751

Function 00742B1C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000F6,00000000,00000000,?,?,?,?,00742043), ref: 00742B34
ReadConsoleInputW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00000001,?,?,?,?,?,00742043), ref: 00742B47
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,00742043), ref: 00742B51

Strings

Unable to suspend job, xrefs: 00742C28
Unable to read job state, xrefs: 00742B9D
Unable to resume job, xrefs: 00742BE3
Unable to read console input, xrefs: 00742B65

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorHandleInputLastRead
String ID: Unable to read console input$Unable to read job state$Unable to resume job$Unable to suspend job
API String ID: 2521167954-592013602
Opcode ID: bf7df2e04f786f05a377bfe0621a227fbe6b2d9162e5c4288fdcd072fba74831
Instruction ID: 8824e72fcaef870c4018713225d304c0a1352ecf39953377edf65dbb6848871e
Opcode Fuzzy Hash: bf7df2e04f786f05a377bfe0621a227fbe6b2d9162e5c4288fdcd072fba74831
Instruction Fuzzy Hash: 8C31FB74A002099FDF28ABA4D8986BE73B4EF09304F904859F512D7292DB7CDD93C765

Function 0073F239 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000019(TokenIntegrityLevel),?,0000004C,?), ref: 0073F258
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,TokenIntegrityLevel,?,0000004C,?), ref: 0073F262
GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,?,TokenIntegrityLevel,?,0000004C,?), ref: 0073F287
CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,?,?,?,?,?,TokenIntegrityLevel,?,0000004C,?), ref: 0073F29B
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00000000,?,?,?,?,TokenIntegrityLevel,?,0000004C,?), ref: 0073F2A6

Strings

out of memory, xrefs: 0073F2B1
unable to get token information, xrefs: 0073F276

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CopyErrorFreeInformationLastLengthTaskToken
String ID: out of memory$unable to get token information
API String ID: 2177740093-3678974993
Opcode ID: a507e1a1f390213f2f9abc54df4c9631f94e2e64d044e26fac66ae883f654a18
Instruction ID: e96732e37a3eeba4062437c37ea1d4760a5befea3204d035c18cf8b07b55d504
Opcode Fuzzy Hash: a507e1a1f390213f2f9abc54df4c9631f94e2e64d044e26fac66ae883f654a18
Instruction Fuzzy Hash: 92019275700218EFA710ABB69C5DB7F77ACFF85744F104039F502D6252DAACDC0586A5

Function 00739DC6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50registryCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,00000000,?,?,?,00745AF0,?,?,?,?,?,?,?), ref: 00739DE1
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\BITS,00000000,00000001,00745AF0,?,?,00745AF0,?,?,?,?,?,?,?,?), ref: 00739DFA
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00745AF0,ServiceDLL,00000000,00000000,?,?,?,00745AF0,?,?,?,?,?,?,?,?), ref: 00739E13
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000), ref: 00739E28
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 00739E2F

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\BITS, xrefs: 00739DF0
ServiceDLL, xrefs: 00739E0B

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorLastOpenQueryValuememset
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\BITS$ServiceDLL
API String ID: 895213837-2516306254
Opcode ID: 451055a762d082901ef45866dcf91b6442a218a50539207671be9eebe2b033da
Instruction ID: 7fbc7f9cbb7c1ca8f3194404034b33a6d330f521cd0400c8ce70887b3e963f69
Opcode Fuzzy Hash: 451055a762d082901ef45866dcf91b6442a218a50539207671be9eebe2b033da
Instruction Fuzzy Hash: AF018F72940228FAEB209BA6DD0DF9FBEACDF45760F044069F505E2151D6B88A00D6E0

Function 00744E48 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000F6,00000000,?,?,?,00741F74), ref: 00744E5B
GetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,?,?,?,00741F74), ref: 00744E6C
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,00741F74), ref: 00744E7B
SetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,?,?,?,00741F74), ref: 00744EA1
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,00741F74), ref: 00744EAB

Strings

Unable to set console input mode, xrefs: 00744EBC
Unable to get console input mode, xrefs: 00744E8C

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorLastMode$Handle
String ID: Unable to get console input mode$Unable to set console input mode
API String ID: 1929488553-207553747
Opcode ID: 1f514aaa4f0237275d206fed60bfce25c7e8d43f5eb88b5bde8fca78d7ade063
Instruction ID: a641021ddd3e925fb9276a32ec3345b8828ae79c8834f11c276acfb0775d5323
Opcode Fuzzy Hash: 1f514aaa4f0237275d206fed60bfce25c7e8d43f5eb88b5bde8fca78d7ade063
Instruction Fuzzy Hash: 8601A231700624EBDB24AB768D0D7AF76ADBF81361F108265F402D6291EB7CCD01A6A4

Function 0073AB8B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_o__stricmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,localsystem,?,?,?,0073AC3E,?,?,00000000,?), ref: 0073ABA3
_o__stricmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,networkservice,?,?,00000000,?), ref: 0073ABBF
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,?,?,?,0073AC3E,?,?,00000000,?), ref: 0073ABF8

Strings

localservice, xrefs: 0073ABD3
localsystem, xrefs: 0073AB9B
networkservice, xrefs: 0073ABB7

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__stricmp$ErrorLast
String ID: localservice$localsystem$networkservice
API String ID: 602521967-659789904
Opcode ID: e1e4efafb626f9ec2bb7b0680972071dfc4676fb42c4f2c6f1ee706aa5af2334
Instruction ID: d0b3cd3d4e58515606a3cbcf091d7656c51fbfb4a82c2d1cf7f6dfc0e1947b59
Opcode Fuzzy Hash: e1e4efafb626f9ec2bb7b0680972071dfc4676fb42c4f2c6f1ee706aa5af2334
Instruction Fuzzy Hash: E10149B310830BBBE7200F10EC06B6BBBA6EF52370F248019E4C596090EB7DD88097A5

Function 007451BD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,Unable to write to the output file,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file), ref: 007451D6
GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451E6
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F1
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F7
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file), ref: 0074521F

Strings

Unable to get current row number, xrefs: 0074520B
Unable to write to the output file, xrefs: 007451CF

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$BufferConsoleEnterErrorInfoLastScreen
String ID: Unable to get current row number$Unable to write to the output file
API String ID: 3967693052-2487962534
Opcode ID: 886171f74c74f0e6ebb39cf0d95d858e2c8892a93c4edb4f4d832a62d0c44693
Instruction ID: 470f4a07a9afbf8cf64b2bbf493baf546a34dd60a4f6674967fd42d1a3dd7285
Opcode Fuzzy Hash: 886171f74c74f0e6ebb39cf0d95d858e2c8892a93c4edb4f4d832a62d0c44693
Instruction Fuzzy Hash: F7F04F35600259EB87056B79AC495BF77F8FB8AB05710842AF502D2261DBBCC80297A9

Function 00745A32 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,?,00000000), ref: 00745A5C
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,?,00000000), ref: 00745A6F
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,?,?,00000000), ref: 00745A9C
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,?,?,?,?,?,00000000), ref: 00745B5F

Strings

%CSIDL_SYSTEM%\qmgr.dll, xrefs: 00745A8E
,\t, xrefs: 00745B65

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastmemset
String ID: %CSIDL_SYSTEM%\qmgr.dll$,\t
API String ID: 3276359510-3330783760
Opcode ID: ab92f666bc58b5962fd96dc40374643a0771fb2834bdadfffd5c59d1997bc157
Instruction ID: c0df94f8dedcf83c47aec936f4cfb060f1cab1f3efdb68b458ba5360d8c10d11
Opcode Fuzzy Hash: ab92f666bc58b5962fd96dc40374643a0771fb2834bdadfffd5c59d1997bc157
Instruction Fuzzy Hash: 87310CB1A00629DBDB24AB70CC896EEB775EF14314F0041A4EA06A3142EF789E44CB94

Function 007453BC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

_o_floor.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000000,?,00000000), ref: 00745471

Strings

%I64u days, xrefs: 0074540C
$0s<0sT0sp0s, xrefs: 007454AB
%I64u Minutes, xrefs: 00745425
%I64u Hours, xrefs: 00745419
%I64u Seconds, xrefs: 0074542F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o_floor
String ID: $0s<0sT0sp0s$%I64u Hours$%I64u Minutes$%I64u Seconds$%I64u days
API String ID: 291871006-3865621524
Opcode ID: d901b37d1447f64d32465e5b2e58938181670e50de57d1295b047097b5c6814a
Instruction ID: db905e06778bc39fd07ab246ef566ca8501422e9c451b5f5d4065486cb53bd05
Opcode Fuzzy Hash: d901b37d1447f64d32465e5b2e58938181670e50de57d1295b047097b5c6814a
Instruction Fuzzy Hash: DC31F3B1E0061DE7EB206F44ED8C7D977B8FB44345F6046D4A58461252EB3D4ED48F84

Function 00739219 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0000000D,?,0074B030,00000000,?,0074597F,?,0074B030,00000000,?,?,?,?,00745C1B,?,0000020A), ref: 007392F2

Part of subcall function 007391F5: GetFileAttributesW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00000000,00745C06,?,0000020A,?,?,00000000), ref: 007391F9
Part of subcall function 007391F5: SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,0000020A,?,?,00000000), ref: 00739209

GetFileVersionInfoSizeExW.API-MS-WIN-CORE-VERSION-L1-1-0(00000002,00745C1B,00000000,?,0074B030,00000000,?,0074597F,?,0074B030,00000000,?,?,?,?,00745C1B), ref: 00739262
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0074597F,?,0074B030,00000000,?,?,?,?,00745C1B,?,0000020A,?,?,00000000), ref: 0073926F

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$File$AttributesInfoSizeVersion
String ID:
API String ID: 2775674088-0
Opcode ID: 50c706c0695fcc420ddcfa61d2173ceb295dd1ec5affdfacedeb19641dad31e9
Instruction ID: 9a3a6a82ac897cd7a8d5889de2b350691f3d6e129276dd15641bb06a0a77b47f
Opcode Fuzzy Hash: 50c706c0695fcc420ddcfa61d2173ceb295dd1ec5affdfacedeb19641dad31e9
Instruction Fuzzy Hash: DC21A575900716BAE7105FA58849AABFB78FF08750F108116FA06E3202E7B8CD01C7A4

Function 0073AD82 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections,00000000,00721992,00000000,00000002,00000000,?,?,?,00000000,?,?,?,0073A513,?), ref: 0073ADB4
RegOpenKeyExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections,00000000,00000001,?,?,00000000,?,?,?,0073A513,?,?,DefaultConnectionSettings,DefaultConnectionSettings), ref: 0073ADC8
RegQueryValueExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,?,DefaultConnectionSettings,?,00000000,?,?,?,0073A513,?,?,DefaultConnectionSettings), ref: 0073ADEE
RegQueryValueExA.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,?,?,DefaultConnectionSettings,?,00000000,?,?,?,0073A513,?,?,DefaultConnectionSettings), ref: 0073AE2D

Strings

DefaultConnectionSettings, xrefs: 0073ADD6
Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections, xrefs: 0073ADAC, 0073ADC0

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$CreateOpen
String ID: DefaultConnectionSettings$Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
API String ID: 68469643-4036832936
Opcode ID: 02d48734fd41febeccce02d2b81a98cd7e8652dd609dd537b8709618ecdbb38a
Instruction ID: d0eb747f51a6626d0ea26c5f0a510bd17d5f79468818be8a65cdf3da1d116776
Opcode Fuzzy Hash: 02d48734fd41febeccce02d2b81a98cd7e8652dd609dd537b8709618ecdbb38a
Instruction Fuzzy Hash: 5C218EB1641226FBEB218F12CC4AEABBFACFF15B91F008029F44696155D779D850CBE1

Function 00745791 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00000105,?,00000001,00000000), ref: 007457C2
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 007457C8
LoadLibraryExW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00000000,00000000,wevtapi.dll), ref: 0074584A
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00745854

Strings

wevtapi.dll, xrefs: 0074582F
\, xrefs: 007457AE

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$DirectoryLibraryLoadSystem
String ID: \$wevtapi.dll
API String ID: 2108159120-4240009339
Opcode ID: 1b18547eac10d6fec6778eaeefb36e5d77ca258e203515f0b2ebe8f6d4f6230f
Instruction ID: 8a07c5f3a412c85fd3b89bdf19bc46d0b249838dac05f0d2957be8d058d6938d
Opcode Fuzzy Hash: 1b18547eac10d6fec6778eaeefb36e5d77ca258e203515f0b2ebe8f6d4f6230f
Instruction Fuzzy Hash: 1821F5B3E0163D9BC7219B649C48B9BB7BCAB44710F1146B5ED05E7242EF78DE488AD0

Function 00744C90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76threadwindowCOMMON

Download Yara Rule

APIs

GetThreadLocale.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00000000,00000000,007219A4,?, - ,Unable to write to the output file,?,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000), ref: 00744D23
FormatMessageW.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00001100,00000000,00000000,00000000,?,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 00744D31
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,007219A4,?,?,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 00744D54

Part of subcall function 007451BD: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,Unable to write to the output file,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file), ref: 007451D6
Part of subcall function 007451BD: GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451E6
Part of subcall function 007451BD: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F1
Part of subcall function 007451BD: GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F7

Strings

0x%8.8x, xrefs: 00744CD6
Unable to write to the output file, xrefs: 00744CED
- , xrefs: 00744CF5

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$BufferConsoleEnterErrorFormatFreeInfoLastLeaveLocalLocaleMessageScreenThread
String ID: - $0x%8.8x$Unable to write to the output file
API String ID: 2142015545-2623180442
Opcode ID: 0851a5580b712cb37b02fbc9cec659f2053fb63f68ddbded8025e4f16c2585ca
Instruction ID: 7603c660caaaed827509e5ce111c216ebb9e30f98be09edebd81c05cab32537a
Opcode Fuzzy Hash: 0851a5580b712cb37b02fbc9cec659f2053fb63f68ddbded8025e4f16c2585ca
Instruction Fuzzy Hash: F811DA71B40354E78F147BB59C9AEFF7769AFC9710B05016DBA02A3292CF7CC8049660

Function 007445D6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,true), ref: 007445E5
_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,false), ref: 007445FA
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0074462A

Strings

must be TRUE or FALSE., xrefs: 00744609
true, xrefs: 007445DF
false, xrefs: 007445F4

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: _o__wcsicmp$ExceptionThrow
String ID: false$must be TRUE or FALSE.$true
API String ID: 1461274180-469067628
Opcode ID: 4c64e84ce934281f6893a9cb724d6cc262c105d40d42a8c6c8abe7935c5fac7a
Instruction ID: e7a8cb1a1830703e493b035bf82e6aaa03d72c2e44876beef01f29513fb09509
Opcode Fuzzy Hash: 4c64e84ce934281f6893a9cb724d6cc262c105d40d42a8c6c8abe7935c5fac7a
Instruction Fuzzy Hash: A2E0E571244219BBA618A725AC2FAAE2288CF527647254029F503F55C1EFECDD0152A6

Function 00744A09 Relevance: 9.1, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00744686: _o_wcstol.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,0000000A,?,?,00000001), ref: 00744713
Part of subcall function 00744686: wcschr.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0000002D), ref: 00744744
Part of subcall function 00744686: _o_wcstoul.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?), ref: 00744776

LookupAccountSidLocalW.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0(?,00000000,?,00000000,00000000,?,00000018,0073F9CE,?,?, OWNER: ,?,?, STATE: ,?,?), ref: 00744A4C
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00744A5A

Part of subcall function 00744B37: CoTaskMemAlloc.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(0000020C,?,0000020C,?,007393AF,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00744B41

Part of subcall function 00744B37: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,0000020C,00000000,?,0000020C,?,007393AF,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00744B88

LookupAccountSidLocalW.API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0(?,00000000,?,00000000,00000000,?), ref: 00744AB4
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00744ABF
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00744ACD
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00744B17

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Local$Free$AccountLookup$AllocErrorExceptionLastTaskThrow_o_wcstol_o_wcstoulwcschr
String ID:
API String ID: 2470993986-0
Opcode ID: 291f02f5086470e39c262de88ebe9c02fcbee0062034e1855e54f5250362bf30
Instruction ID: 75ab10b5e2e3e45cdef2e1ed6a6dfa6a8fb5d00a5d1b19ade1c9e1d8b0c942e9
Opcode Fuzzy Hash: 291f02f5086470e39c262de88ebe9c02fcbee0062034e1855e54f5250362bf30
Instruction Fuzzy Hash: 15313EB1A00209EFDB059BA4898ABBF77B8EF48754F104119F602E7291DB7C9D019BA4

Function 0073A807 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A821
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A832
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A843
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A854
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A865
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000000,0073A0C6,?,?,?), ref: 0073A876

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask
String ID:
API String ID: 734271698-0
Opcode ID: d9abd6b6c4d12b62b95844d7797fb65f36ecce9d78a3035a1af5f33fa0a61091
Instruction ID: 7b5d8f4d97cb7b60c9b81529f1855cbec6e57993292bdab9584919529ac27729
Opcode Fuzzy Hash: d9abd6b6c4d12b62b95844d7797fb65f36ecce9d78a3035a1af5f33fa0a61091
Instruction Fuzzy Hash: D3119A70800B00DFD3728F16E908456FAF0FF947127104B2EE48B42A31D3B6A88ADF84

Function 0074507C Relevance: 9.0, APIs: 6, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000F6,00001388,00744C76,?,007381EC), ref: 00745090
SetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,?,007381EC), ref: 00745098
EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00001388,00744C76,?,007381EC), ref: 007450AD
SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,007381EC), ref: 007450C1
SetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,007381EC), ref: 007450D3
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,007381EC), ref: 007450DA

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Console$CriticalModeSection$AttributeEnterHandleLeaveText
String ID:
API String ID: 3468959288-0
Opcode ID: 557102f3440906ac6064e8e7c7d6c04cd8f2ff860bd0ebe1049bb15a2d4fdf70
Instruction ID: 58500ecf95511d926768dfc4a02e1f48e5c9a2825e1453d6f9fee47c3bc4efc3
Opcode Fuzzy Hash: 557102f3440906ac6064e8e7c7d6c04cd8f2ff860bd0ebe1049bb15a2d4fdf70
Instruction Fuzzy Hash: FBF01236004264EBCB075B60BC0C9AF3B65EB47321705C452F50291071C77D8D41C7DC

Function 0073A2D2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00000004,?,?,00000004,?,00000008,?,?,00000004,?,?,0000003C,?,00000004), ref: 0073A436
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,00000004,?,?,00000004,?,00000008,?,?,00000004,?,?,0000003C,?,00000004), ref: 0073A43D

Strings

DefaultConnectionSettings, xrefs: 0073A33C, 0073A346
<, xrefs: 0073A2FD

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastMutexRelease
String ID: <$DefaultConnectionSettings
API String ID: 1973045865-3499525693
Opcode ID: e30d3983d3c54a6308bdf2dcab6aa9af6e4023a2d0b4cd15b9fd210fa56baa93
Instruction ID: 954e318ba6f093eea71d5a5472bbb8ab940aa6e3cb8bd24b7b044c08cbc433f1
Opcode Fuzzy Hash: e30d3983d3c54a6308bdf2dcab6aa9af6e4023a2d0b4cd15b9fd210fa56baa93
Instruction Fuzzy Hash: 2F41357192051AFFEB05EFA4DC8AEEDB778BF14700F004125F152A6592EB78A914CB92

Function 0073AC9A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,?,00000000,DefaultConnectionSettings,?,?,0073A753,?,?,?,00000010,0073A4C5,?), ref: 0073AD12

Part of subcall function 0073AAF6: SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,?,?,?,?,0073ACC0,?,?,00000000,DefaultConnectionSettings,?,?,0073A753,?), ref: 0073AB72

GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,00000000,DefaultConnectionSettings,?,?,0073A753,?,?,?,00000010,0073A4C5,?), ref: 0073ACC4
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000003,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,DefaultConnectionSettings,?,?,0073A753), ref: 0073ACEE
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,00000000,DefaultConnectionSettings,?,?,0073A753,?,?,?,00000010,0073A4C5,?), ref: 0073ACF8

Strings

DefaultConnectionSettings, xrefs: 0073ACA0

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Create
String ID: DefaultConnectionSettings
API String ID: 4257001873-3342646366
Opcode ID: d46339c006132bc4d5ab7731c09e7e2e9e7ed7d4abeb6a17aeae8501d115e4b0
Instruction ID: 12612b75610988986669b09ac0a4d332455e5d33d033872b04d612e5b0e9d6db
Opcode Fuzzy Hash: d46339c006132bc4d5ab7731c09e7e2e9e7ed7d4abeb6a17aeae8501d115e4b0
Instruction Fuzzy Hash: 7711AD32620216BFF7155B60CD0BA6BB7A8EF44752F258029FC42D6246E7BC9D0087A2

Function 0073B731 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0073B738

Part of subcall function 007372AB: CoCreateInstance.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(00735858,00000000,00000004,00735848,007557A4,00000000,0074625E,0000001C,00736D43,Pending file operations: None), ref: 007372D0

CLSIDFromString.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,0000001C,?,0074A6D8,?,0074A6D8,?,00000000,00000014,?,0074A6D8), ref: 0073B75C

Strings

Unable to lookup job, xrefs: 0073B564, 0073B5E0
Unable to find job named ", xrefs: 0073B6A8
"., xrefs: 0073B6C1, 0073B6FB

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CreateFromH_prolog3_InstanceString
String ID: ".$Unable to find job named "$Unable to lookup job
API String ID: 3797757086-2901805396
Opcode ID: 29f05456e5db746522e981e3fba98f7738e3b00179d0fac33a49f47db9fc1dbf
Instruction ID: c1740c2bb4949227d7288b5fe2009a92b80762cc75a2ef72364359a035e030b7
Opcode Fuzzy Hash: 29f05456e5db746522e981e3fba98f7738e3b00179d0fac33a49f47db9fc1dbf
Instruction Fuzzy Hash: 3E010971A01208CBEB04EF94C959AEDB7F8BF48310F100069E101F7252DB799E058F64

Function 00744B37 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(0000020C,?,0000020C,?,007393AF,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00744B41
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,0000020C,00000000,?,0000020C,?,007393AF,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00744B88

Strings

Out of memory while allocating , xrefs: 00744B51
bytes., xrefs: 00744B67
[t, xrefs: 00744B78

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: AllocExceptionTaskThrow
String ID: bytes.$Out of memory while allocating $[t
API String ID: 3561865523-3007925744
Opcode ID: 8943d9d32f8e2457c1f3cb40ccdb1aba3d57cbb615c6a2568df2208591a2a0e3
Instruction ID: 3e8f88168d285b35465ef3802ea27993089d9f35fb4078b23a75ffb125eb5977
Opcode Fuzzy Hash: 8943d9d32f8e2457c1f3cb40ccdb1aba3d57cbb615c6a2568df2208591a2a0e3
Instruction Fuzzy Hash: 23E0ED61710218A7EA1866749C1FBAF2149CF81754F5484297512AB186EFECDD0292A5

Function 0073F1D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(02000000,00000001,00000000), ref: 0073F1EE
OpenThreadToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0073F1F5
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 0073F204
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 0073F211

Strings

unable to get thread token, xrefs: 0073F225

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastThread$CurrentOpenToken
String ID: unable to get thread token
API String ID: 3596667570-2695362643
Opcode ID: 86fc7da686cbd23087fdc7d6d4c6d58d70821e956c1564349c9912b9f374c384
Instruction ID: 67557a1dfbedbc96b1d3a91441224bebf506c192c0afd7ae8d212b746f69d355
Opcode Fuzzy Hash: 86fc7da686cbd23087fdc7d6d4c6d58d70821e956c1564349c9912b9f374c384
Instruction Fuzzy Hash: DCF0A070B0020AFBFB1497A1EE0DB6F33A8BB40749F208474F106C6092DABCC900C7A5

Function 00745019 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000001,00740692,?,0074A6D8), ref: 00745022
SetConsoleMode.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,0074A6D8), ref: 00745045
GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0074A6D8), ref: 0074504F
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,0074A6D8), ref: 0074506E

Strings

Unable set console mode, xrefs: 00745063

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$ConsoleEnterErrorLastLeaveMode
String ID: Unable set console mode
API String ID: 2732049916-3965411562
Opcode ID: 53cd0d3b13d1ca33c92f2c4c9cbccf53fb4e5b1baeff14704e2232b07b6d74f4
Instruction ID: f22607e375db1b9262ee7f0ea745d43601882f856ada62e54fdd1c951081b93e
Opcode Fuzzy Hash: 53cd0d3b13d1ca33c92f2c4c9cbccf53fb4e5b1baeff14704e2232b07b6d74f4
Instruction Fuzzy Hash: DAF09239A04A55ABD3162B35AD0C7AF3A95EB83360F148626F412D11B6DB6DCC0187E8

Function 00745B81 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,?,00000000), ref: 00745BB7
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000020A,?,?,00000000), ref: 00745BC8

Part of subcall function 00739377: __EH_prolog3_catch_GS.LIBCMT ref: 00739381
Part of subcall function 00739377: SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,00000B40,00745BEA,?,0000020A,?,?,00000000), ref: 00739BBB

GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,0000020A,?,?,00000000), ref: 00745BEE
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,0000020A,?,?,00000000), ref: 00745C89

Strings

%CSIDL_SYSTEM%\qmgr.dll, xrefs: 00745BE0

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$memset$H_prolog3_catch_
String ID: %CSIDL_SYSTEM%\qmgr.dll
API String ID: 773729580-44567079
Opcode ID: d129948118988ca8813fd34a4b5f9d08a96b989c21ef4497c7b023403823e1df
Instruction ID: ddb6e4d37a87e4c910c2d74096210574b16e1d6db8afc66ae97cd37e9df07e81
Opcode Fuzzy Hash: d129948118988ca8813fd34a4b5f9d08a96b989c21ef4497c7b023403823e1df
Instruction Fuzzy Hash: 4031BFB1A003199BDF249B70CC89AAE73B8EF45354F4401A9E90597182EB789E84CAA4

Function 0073EFC1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0073EFC8

Strings

/ , xrefs: 0073F0CF, 0073F0D4, 0073F102
NULL, xrefs: 0073F091, 0073F096
UNKNOWN, xrefs: 0073F116

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_
String ID: / $NULL$UNKNOWN
API String ID: 2427045233-2277669930
Opcode ID: baf886e038862110199bdd491e0e697ae72e270bc9aba875fc979a0d4425bebf
Instruction ID: ceefd4025b3376c68191fa60826d10551a5e983ca8f54a1b8460b67c59c1abf6
Opcode Fuzzy Hash: baf886e038862110199bdd491e0e697ae72e270bc9aba875fc979a0d4425bebf
Instruction Fuzzy Hash: 11419E31B00218EFDF19AFA4DC55AADB7B6AF48310F104169F506BB2A2CB7D6D02DB40

Function 00737152 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00737159
GetThreadLocale.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(007219A4,?, - ), ref: 007371E5

Part of subcall function 007451BD: EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,Unable to write to the output file,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file), ref: 007451D6
Part of subcall function 007451BD: GetConsoleScreenBufferInfo.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451E6
Part of subcall function 007451BD: LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F1
Part of subcall function 007451BD: GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?,?,?,00744CC4,0074B7A4,0074B798,00000000,?,?,?,00744D84,00000000,Unable to write to the output file,?,007442FA), ref: 007451F7

Strings

0x%8.8x, xrefs: 00737192
- , xrefs: 007371B5

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$BufferConsoleEnterErrorH_prolog3_InfoLastLeaveLocaleScreenThread
String ID: - $0x%8.8x
API String ID: 2310948510-2689281167
Opcode ID: b0eb749cc37e46e59d7746eae99a558580f72757ea7f5aa943b57629a24ab3aa
Instruction ID: 8b8716b8060d36aa5f01b82a30b0afc4c7d2e8f375ca91c989ec0b4d4ceb4666
Opcode Fuzzy Hash: b0eb749cc37e46e59d7746eae99a558580f72757ea7f5aa943b57629a24ab3aa
Instruction Fuzzy Hash: 022109B2F48218DBDF29BBA4D88ABAD7676AF88310F054059F94077293CF6C5C00DA95

Function 007475F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__current_exception.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00747631
__current_exception_context.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 0074763B
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00747642

Strings

csm, xrefs: 007475FC

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_context_o_terminate
String ID: csm
API String ID: 3699047729-1018135373
Opcode ID: c3c1c02a1d26090f009244bb6a6ebd28524f13c733541eda7931593180ac2f02
Instruction ID: 509354d230f51cc515bef8d50109207fe66d98d33c441346b46ad80e35ba55bd
Opcode Fuzzy Hash: c3c1c02a1d26090f009244bb6a6ebd28524f13c733541eda7931593180ac2f02
Instruction Fuzzy Hash: 3AF0A731108B059B8B3CAE6DE04801EB7AEEE5032175A481AE488DB611C778ED61CED3

Function 0074523C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 007441BE: WriteConsoleW.KERNELBASE(0074B798,007537A4,00000002,?,00000000,?,?,00000000), ref: 00744268

EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A01,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ,0000001C,00736D43,Pending file operations: None), ref: 0074525A
SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0074526F
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 00745276

Strings

Software\Policies\Microsoft\Windows\BITS, xrefs: 0074523E

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleCriticalSection$AttributeEnterLeaveTextWrite
String ID: Software\Policies\Microsoft\Windows\BITS
API String ID: 3113865175-3844016454
Opcode ID: 61812443a40b7a697e7ccb5d7e0efafa755dc8413ef29578f46c38b77b32c83b
Instruction ID: 7643f6f021bef2b69cbcbd8b02003ffb697c045722f0c45381fa82780554412c
Opcode Fuzzy Hash: 61812443a40b7a697e7ccb5d7e0efafa755dc8413ef29578f46c38b77b32c83b
Instruction Fuzzy Hash: 76E08632200254A7C6166718AC48E6F7769EBD7711B054417F502E7261CBBCCC02D694

Function 00745289 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 007441BE: WriteConsoleW.KERNELBASE(0074B798,007537A4,00000002,?,00000000,?,?,00000000), ref: 00744268

EnterCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764,00000000,0074B798,Software\Policies\Microsoft\Windows\BITS,00746A17,?,?,00000000,?, Maximum network bandwidth utilization allowed is ,Software\Policies\Microsoft\Windows\BITS,MaxTransferRateOnSchedule,YES ,Software\Policies\Microsoft\Windows\BITS,EnableBITSMaxBandwidth,Is BITS's maximum network bandwidth utilization policy active? ), ref: 007452A7
SetConsoleTextAttribute.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 007452BB
LeaveCriticalSection.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(0074B764), ref: 007452C2

Strings

Software\Policies\Microsoft\Windows\BITS, xrefs: 0074528B

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleCriticalSection$AttributeEnterLeaveTextWrite
String ID: Software\Policies\Microsoft\Windows\BITS
API String ID: 3113865175-3844016454
Opcode ID: 1c8b8c6d4087064c9f2b5b71cf3aea7edb3095f97aad4dd9b0cad015c6c263d6
Instruction ID: a50ef479c0bea89b8352fc9128bc2275b18e0b5054c6a4e377baefe6ea56ed6f
Opcode Fuzzy Hash: 1c8b8c6d4087064c9f2b5b71cf3aea7edb3095f97aad4dd9b0cad015c6c263d6
Instruction Fuzzy Hash: 77E01D3620026497C71627156D4CE7F7769DBD7711B054417F502D6262CBBDCC42D7D4

Function 00739D2B Relevance: 6.1, APIs: 4, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,00000001,?,0074B798,00000000,00000000), ref: 00739D63
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,00000000,?,?,00000001), ref: 00739D81
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,0074B798,00000000,00000000), ref: 00739DA5
SetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(000000A0,0074B798,00000000,00000000), ref: 00739DAC

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorLastOpenQueryValue
String ID:
API String ID: 75635995-0
Opcode ID: 449eff3d51508ee6eb58c3672edf1f96ad73d722d5075e4e4bc9da893bff1fc9
Instruction ID: 2998e2fe9ddbc3598b9daa82f4b897b5d1c7f7691dde55e8d9bae43fac340f17
Opcode Fuzzy Hash: 449eff3d51508ee6eb58c3672edf1f96ad73d722d5075e4e4bc9da893bff1fc9
Instruction Fuzzy Hash: 8A115E32A10218FBEF219F95D845AEFBF78EF45750F14806AFA09A6151D3B88E40DB90

Function 0073AF25 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,00000000,00000000,?,?,0073A36D,0000003C,00000004,00000000,?,DefaultConnectionSettings,?,00000024), ref: 0073AF9B

Part of subcall function 00744BAA: CoTaskMemAlloc.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,00000000,00000000,00739C3C), ref: 00744BB1

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000000,?,?,00000000,00000000,?,?,0073A36D,0000003C,00000004,00000000,?,DefaultConnectionSettings,?,00000024), ref: 0073AF6A
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,0073A36D,0000003C,00000004,00000000,?), ref: 0073AF76
CoTaskMemFree.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?), ref: 0073AF81

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Taskmemcpy$AllocFreememset
String ID:
API String ID: 550164720-0
Opcode ID: 7dd8112fb0134637053ca5af2c3e51d032d89b4496f09c9a0aa7476c6c3fd45d
Instruction ID: 1afe9ab6fcc8f59338f598f7f05b954c8ba983e1f8d30b6f1ed0128cb76d3023
Opcode Fuzzy Hash: 7dd8112fb0134637053ca5af2c3e51d032d89b4496f09c9a0aa7476c6c3fd45d
Instruction Fuzzy Hash: 8D11CEB2600B00AFD7259F68DC4AE5BB7F5EF84320F048A2DF596C2642D778E904CB61

Function 00747319 Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000), ref: 0074732D
GetCurrentThreadId.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 0074733C
GetCurrentProcessId.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0 ref: 00747345
QueryPerformanceCounter.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(?), ref: 00747352

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 336384fc50165d9f46bcf5f205d39c793df73e51f9dba482ddbd802b74397dce
Instruction ID: 0dfd07d5d6c1069b677d1e39b05c0922b6a9fca527c8b0ae4c12f09e110696ea
Opcode Fuzzy Hash: 336384fc50165d9f46bcf5f205d39c793df73e51f9dba482ddbd802b74397dce
Instruction Fuzzy Hash: 82F09D71C1120CEBCB04DBB0DA49A9EBBF8EF18301F618895D412E7150DB78AB048F94

Function 00744C49 Relevance: 6.0, APIs: 4, Instructions: 19sleepinjectionCOMMON

Download Yara Rule

APIs

QueueUserAPC.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00744C40,00000144,00000000,?,007381EC), ref: 00744C64
Sleep.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00001388,?,007381EC), ref: 00744C6B
GetCurrentProcess.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(C000013A,?,007381EC), ref: 00744C7B
TerminateProcess.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?,007381EC), ref: 00744C82

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: Process$CurrentQueueSleepTerminateUser
String ID:
API String ID: 571425068-0
Opcode ID: c1489e078aea229cc7a65906543ec49c666e99e9076585015fd693a490888514
Instruction ID: 7f16ef9c16db86b762e1bc0c7272d96359cfb8219f388d8e0a4ab8e1f07fbc09
Opcode Fuzzy Hash: c1489e078aea229cc7a65906543ec49c666e99e9076585015fd693a490888514
Instruction Fuzzy Hash: BBE0E275141715ABD7162BB8BD8EB9B3B98BB4B305F098002F642D2161CBAD880086A9

Function 00744117 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,: Unknown.,00000000,00000000,00000000,?,00746922,: Unknown.,?,?,MDM policy background priority ), ref: 00744170
MultiByteToWideChar.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,00000000,?,000000FF,00000000,?,: Unknown.,00000000,00000000,00000000,?,00746922,: Unknown.,?,?,MDM policy background priority ), ref: 00744197

Strings

: Unknown., xrefs: 00744129

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide_o_malloc
String ID: : Unknown.
API String ID: 2636693707-3974438784
Opcode ID: 3632e7458c3fdccd7144cb8badc6dd06114cb226fec25e148fe455564fdd25e8
Instruction ID: cd552486a793d195152e0ab16869df084531f465800bbb9a0bcdc2b0ed9ac2ec
Opcode Fuzzy Hash: 3632e7458c3fdccd7144cb8badc6dd06114cb226fec25e148fe455564fdd25e8
Instruction Fuzzy Hash: 6D112732900229FBDB248FA0CC45B9ABBA9EF15750F15436AE905D7280D77C9D8097D1

Function 007372EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_o__wcsicmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00737305
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073736B

Strings

Invalid command, xrefs: 00737338

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_o__wcsicmp
String ID: Invalid command
API String ID: 2727266494-4223844239
Opcode ID: fc03c0e026ad1e36ac14b7322cf533f027d7680770a25dfa1baaab98633555a7
Instruction ID: ca9b89f767c884e12f6ec9bb10f8ef3d65b6f6b5aa8581b6f326c5d3c889e0ff
Opcode Fuzzy Hash: fc03c0e026ad1e36ac14b7322cf533f027d7680770a25dfa1baaab98633555a7
Instruction Fuzzy Hash: EF01F9B2604215AFDB289B18DC09D5FBBACDF807507144029FD06D7251DFB8EC00D7A0

Function 007382B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007382BF

Part of subcall function 00737279: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0073729F

Part of subcall function 007443CE: StringFromGUID2.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000028,0074B798), ref: 007443EA

Strings

Unable to get record ID, xrefs: 007382E9
Unable to get record remote name, xrefs: 0073831B

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFromH_prolog3_StringThrow
String ID: Unable to get record ID$Unable to get record remote name
API String ID: 1553815116-1416457449
Opcode ID: a3fe1eb9ccdf93063ace0d44b095f9288b04279c7998100593833ae6aa1c162c
Instruction ID: 3bb2b270e9fd88033d895d0130fa7d16744677c806110254a36a6632a8dc144f
Opcode Fuzzy Hash: a3fe1eb9ccdf93063ace0d44b095f9288b04279c7998100593833ae6aa1c162c
Instruction Fuzzy Hash: AA117F75A04218DFDB19EFA4C95A9ED77F5AF88300F104069F5056B292CF795E01CB94

Function 0073B82A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8,?,?,?,0074A6D8), ref: 0073B85A
__EH_prolog3_GS.LIBCMT ref: 0073B877

Strings

Invalid number of arguments., xrefs: 0073B839

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionH_prolog3_Throw
String ID: Invalid number of arguments.
API String ID: 1748600491-3370470566
Opcode ID: 91ee4537041e859cb8fe5e4fe866d82617e31d52759dfe1ad024d7d29706fceb
Instruction ID: f2137d77a49fde581a9b8fb0c189e3580c46442b19cfd9de984e5faf9f2ec1a1
Opcode Fuzzy Hash: 91ee4537041e859cb8fe5e4fe866d82617e31d52759dfe1ad024d7d29706fceb
Instruction Fuzzy Hash: 76F09030A0021CEBEB14EF65C8469EDB6A8DF90750F114029FA056F243DBBCAE419B96

Function 0073A255 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-DOWNLEVEL-KERNEL32-L1-1-0(00000000,?), ref: 0073A282
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,The current user currently has the following network connection names registered (other than the default connection): ,00000000,?), ref: 0073A2BD

Strings

The current user currently has the following network connection names registered (other than the default connection): , xrefs: 0073A299

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: CloseErrorLast
String ID: The current user currently has the following network connection names registered (other than the default connection):
API String ID: 3262646002-16746670
Opcode ID: bfab2c00f9c88a5f59115d6d1e14ac43a98fa46c4811ba4a3b1cf5da5fd005c0
Instruction ID: cb99871b7c027ff7739e497fabf1cb8ac458919a6004acd0d48561a0238a79eb
Opcode Fuzzy Hash: bfab2c00f9c88a5f59115d6d1e14ac43a98fa46c4811ba4a3b1cf5da5fd005c0
Instruction Fuzzy Hash: C6F0FC37640121B7672212A99C4BE2FA55AAFD1770F11453AFCC197253DA2E8C0141D7

Function 007443CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

StringFromGUID2.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,?,00000028,0074B798), ref: 007443EA
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0074442F

Strings

Internal error converting guid to string., xrefs: 0074440E

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFromStringThrow
String ID: Internal error converting guid to string.
API String ID: 3859297627-1152957537
Opcode ID: d992f4d6114a6762d6f6e0649ebf72a429ea33b100c70164420f73dd51b168e3
Instruction ID: dc97769161cb0e83e96a07a370a89f691776ec871bcc449f7dc930445c618c8b
Opcode Fuzzy Hash: d992f4d6114a6762d6f6e0649ebf72a429ea33b100c70164420f73dd51b168e3
Instruction Fuzzy Hash: D7F0B43470020CABD704EBB5CC1EAAE77A8EB41B00F504429B506E7281DF7CDE099791

Function 00742C49 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00742C50

Strings

Unable to get guid to job, xrefs: 00742C81
Unable to get guid to job, xrefs: 00742CE2

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_catch_
String ID: Unable to get guid to job$Unable to get guid to job
API String ID: 1329019490-3259678241
Opcode ID: 7511a4d514afdb0c9fca89c85a8409ca1e96fa42271821072f8d5404e7240b23
Instruction ID: 58690df327be2e0113d015d552e0ad79eb5604a208acfb2fb9133b1ca4921dcf
Opcode Fuzzy Hash: 7511a4d514afdb0c9fca89c85a8409ca1e96fa42271821072f8d5404e7240b23
Instruction Fuzzy Hash: C201D130A00208DBEB04EBA4C4597EC37A0BF48310F104199F6066B282CFBC5E41DB52

Function 00744636 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_fwprintf_s.LIBCMT ref: 00744647
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,0074A6D8), ref: 0074467A

Strings

Invalid number., xrefs: 00744659

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_fwprintf_s
String ID: Invalid number.
API String ID: 4244022437-2985399491
Opcode ID: a76f665cbb7973f391d59665ad761fea12e8f5427064b4c9267fd3855f0e6388
Instruction ID: 8ffebf3ac89bbed27efcf76198447ba184a21de5570a9b2ba85b30bfa70cafc4
Opcode Fuzzy Hash: a76f665cbb7973f391d59665ad761fea12e8f5427064b4c9267fd3855f0e6388
Instruction Fuzzy Hash: 0CE086B064010CBBDB18E7B5EC1BDAE325CCB91744F100465B515E7182DBBDEE059622

Function 00744BAA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0(?,00000000,00000000,00739C3C), ref: 00744BB1

Strings

Out of memory while allocating , xrefs: 00744BC3
bytes., xrefs: 00744BD8

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: AllocTask
String ID: bytes.$Out of memory while allocating
API String ID: 277515162-1965326189
Opcode ID: 697ac22ff721a8ff6ea77cad40fe7d403d49eb1f37ecf6702fef37a70a267bb2
Instruction ID: a9d2b9e3ea9045e664133a29fa9ddcba0594355eb711a41aca58fb4e8732bb3a
Opcode Fuzzy Hash: 697ac22ff721a8ff6ea77cad40fe7d403d49eb1f37ecf6702fef37a70a267bb2
Instruction Fuzzy Hash: DBE0C232344320635622267A2C9DE2F898D9ED2BA0702053AB506E3263CEACCC0251E0

Function 00739EFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OpenMutexA.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-2 ref: 00739F27
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,0000003C), ref: 00739F34

Strings

WininetProxyRegistryMutex, xrefs: 00739F05

Memory Dump Source

Source File: 00000000.00000002.1136420390.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1136409100.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.000000000074B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136441167.0000000000753000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000760000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1136465591.0000000000763000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_SecuriteInfo.jbxd

Similarity

API ID: MutexOpenmemset
String ID: WininetProxyRegistryMutex
API String ID: 3901118516-2696170658
Opcode ID: af38b858eb4d084afe39be6d6495a051a0fafbf96e77e21bf90a89f0d1a252a8
Instruction ID: e846b270a945700cd417fb0b4bdb9629e143920c7d321ea2a70ae69af8b1700d
Opcode Fuzzy Hash: af38b858eb4d084afe39be6d6495a051a0fafbf96e77e21bf90a89f0d1a252a8
Instruction Fuzzy Hash: 0CE0C0B19007609BD3305F1B9809A07FEF8EFD1750B01442EE15592650C7F59405CB50

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Lumma-E.2400.19496.exePID: 7740, Parent PID: 3964

General

File Activities

File Opened

File Created

Windows Analysis Report
SecuriteInfo.com.Win32.Lumma-E.2400.19496.exe

Function 00737DA5 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 123
COMMON