Play interactive tour

Edit tour

Analysis Report NcsiUwpApp.exe

Overview

General Information

Sample Name:	NcsiUwpApp.exe
Analysis ID:	321364
MD5:	93472f82ff675dbceed9adc8556cd0bb
SHA1:	6ac778a68ae0ededacb4b549b7b793fd826bd1b4
SHA256:	89b83f9f4e9db22406cb0ec90d75ccf98492731bc5c8745f481745c31cb522fd
Most interesting Screenshot:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Startup

System is w10x64

NcsiUwpApp.exe (PID: 1092 cmdline: 'C:\Users\user\Desktop\NcsiUwpApp.exe' MD5: 93472F82FF675DBCEED9ADC8556CD0BB)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\NcsiUwpApp.exe

Code function: 0_2_00007FF61B7E1B00

0_2_00007FF61B7E1B00

Source: C:\Users\user\Desktop\NcsiUwpApp.exe

Code function: String function: 00007FF61B7ED120 appears 63 times

Source: NcsiUwpApp.exe

Binary or memory string: OriginalFilename vs NcsiUwpApp.exe

Source: classification engine

Classification label: sus22.winEXE@1/0@0/0

Source: NcsiUwpApp.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NcsiUwpApp.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NcsiUwpApp.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: NcsiUwpApp.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NcsiUwpApp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NcsiUwpApp.exe

Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: NcsiUwpApp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: NcsiUwpApp.pdbOO source: NcsiUwpApp.exe
Source:	Binary string: NcsiUwpApp.pdb source: NcsiUwpApp.exe

Source: NcsiUwpApp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NcsiUwpApp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NcsiUwpApp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NcsiUwpApp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NcsiUwpApp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xD6E4FC97 [Fri Mar 31 08:51:35 2084 UTC]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NcsiUwpApp.exe

Code function: 0_2_00007FF61B7EDC74 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF61B7EDC74

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\NcsiUwpApp.exe	Code function: 0_2_00007FF61B7EDC74 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF61B7EDC74
Source: C:\Users\user\Desktop\NcsiUwpApp.exe	Code function: 0_2_00007FF61B7EDE58 SetUnhandledExceptionFilter,	0_2_00007FF61B7EDE58
Source: C:\Users\user\Desktop\NcsiUwpApp.exe	Code function: 0_2_00007FF61B7EDA14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF61B7EDA14

Source: C:\Users\user\Desktop\NcsiUwpApp.exe

Code function: 0_2_00007FF61B7EE038 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF61B7EE038

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Timestomp1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
NcsiUwpApp.exe	0%	Virustotal	Browse
NcsiUwpApp.exe	0%	Metadefender	Browse
NcsiUwpApp.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321364
Start date:	21.11.2020
Start time:	00:22:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NcsiUwpApp.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus22.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.6% (good quality ratio 68.7%) Quality average: 54.4% Quality standard deviation: 42.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Execution Graph export aborted for target NcsiUwpApp.exe, PID 1092 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.179713194562947
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NcsiUwpApp.exe
File size:	96568
MD5:	93472f82ff675dbceed9adc8556cd0bb
SHA1:	6ac778a68ae0ededacb4b549b7b793fd826bd1b4
SHA256:	89b83f9f4e9db22406cb0ec90d75ccf98492731bc5c8745f481745c31cb522fd
SHA512:	35edc260d7922cd2bcb760da834f06f8d488bdec255068682e0c2921636eb84352d76166b63d63ced5de70fdbd2db38c92d1f6837f1200daaa06585688ec4239
SSDEEP:	1536:IyqZAvsbHOYTI7U14iuhPax3R3GRoEdHppSfkThpbfbJXwjsaPiQ:IcMuQI7Uu/kRxGRoKp8f8hpbxa5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:.......3.......9...........3.......:...].....v.;.............t.;.......;...Rich:...........PE..d................."

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x14000da00
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xD6E4FC97 [Fri Mar 31 08:51:35 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	50543d972b7881279790c37e7f68d3bc

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/4/2020 10:30:39 AM 3/3/2021 10:30:39 AM
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	7AB25ECD787C07B0984E7F1885C52907
Thumbprint SHA-1:	A4341B9FD50FB9964283220A36A1EF6F6FAA7840
Thumbprint SHA-256:	26FADD5610BB56E43D61A21B42A146C6A4568D8FC21DB5D78E70BE0AC390E9C3
Serial:	3300000266BD1580EFA75CD6D3000000000266

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA92C96C734h
dec eax
add esp, 28h
jmp 00007FA92C96BF7Fh
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [00001615h]
mov ecx, 00000001h
mov dword ptr [00008222h], eax
call 00007FA92C96C33Eh
xor ecx, ecx
call dword ptr [0000160Dh]
dec eax
mov ecx, ebx
call dword ptr [0000160Ch]
cmp dword ptr [00008205h], 00000000h
jne 00007FA92C96C10Ch
mov ecx, 00000001h
call 00007FA92C96C31Ah
call dword ptr [0000164Bh]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000163Fh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [0000163Ch]
test eax, eax
je 00007FA92C96C109h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00007CDAh]
call 00007FA92C96C1AEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00007DC1h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00007D51h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x132cc	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x3f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x17000	0xfb4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x15800	0x2138
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19000	0x344	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10c80	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10e08	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10cf0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xdee7	0xe000	False	0.415265764509	data	6.05531293565	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x5248	0x5400	False	0.3876953125	data	4.78638561039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x15000	0x1088	0x800	False	0.205078125	data	3.12690456838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x17000	0xfb4	0x1000	False	0.47705078125	data	4.87662609414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x3f8	0x400	False	0.4423828125	data	3.3433173288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19000	0x344	0x400	False	0.5859375	data	4.8570560008	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x18060	0x394	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States

Imports

DLL	Import
api-ms-win-crt-string-l1-1-0.dll	memset
api-ms-win-crt-private-l1-1-0.dll	_o__cexit, _o__configthreadlocale, _o__configure_wide_argv, _o__crt_atexit, _o__exit, _o__get_wide_winmain_command_line, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo_noreturn, _o__purecall, _o__register_onexit_function, _o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__callnewh, _o_exit, _o_free, _o_malloc, _o_terminate, __CxxFrameHandler4, __std_terminate, wcsrchr, __CxxFrameHandler3, __C_specific_handler, _CxxThrowException, _o___std_exception_destroy, _o___std_exception_copy, _o___p__commode, memcpy, memmove
api-ms-win-core-string-l1-1-0.dll	MultiByteToWideChar
api-ms-win-core-util-l1-1-0.dll	DecodePointer
api-ms-win-core-synch-l1-1-0.dll	EnterCriticalSection, SetEvent, LeaveCriticalSection, DeleteCriticalSection, CreateEventW, WaitForSingleObjectEx, InitializeCriticalSectionAndSpinCount, ResetEvent, InitializeCriticalSectionEx
api-ms-win-core-handle-l1-1-0.dll	CloseHandle
api-ms-win-core-libraryloader-l1-2-0.dll	GetProcAddress, GetModuleHandleW
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-debug-l1-1-0.dll	IsDebuggerPresent
api-ms-win-core-errorhandling-l1-1-0.dll	SetUnhandledExceptionFilter, UnhandledExceptionFilter
api-ms-win-core-processthreads-l1-1-0.dll	GetCurrentProcessId, GetCurrentProcess, TerminateProcess, GetStartupInfoW, GetCurrentThreadId
api-ms-win-core-processthreads-l1-1-1.dll	IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemTimeAsFileTime
api-ms-win-core-interlocked-l1-1-0.dll	InterlockedPushEntrySList, InitializeSListHead
api-ms-win-crt-runtime-l1-1-0.dll	_initterm_e, _initterm, _register_thread_local_exe_atexit_callback, _c_exit
OLEAUT32.dll	SysFreeString
api-ms-win-core-winrt-error-l1-1-0.dll	SetRestrictedErrorInfo, GetRestrictedErrorInfo
api-ms-win-core-winrt-error-l1-1-1.dll	RoOriginateLanguageException
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsGetStringLen, WindowsCreateStringReference, WindowsDeleteString, WindowsPromoteStringBuffer, WindowsDeleteStringBuffer, WindowsPreallocateStringBuffer, WindowsCreateString, WindowsGetStringRawBuffer, WindowsDuplicateString
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoInitialize
api-ms-win-core-com-l1-1-0.dll	CoIncrementMTAUsage, CoCreateFreeThreadedMarshaler, CoTaskMemFree, CoTaskMemAlloc

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	NcsiUwpApp.exe
FileVersion	10.0.19041.423 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.19041.423
FileDescription	NcsiUwpApp
OriginalFilename	NcsiUwpApp.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• NcsiUwpApp.exe

Click to jump to process

Memory Usage

• NcsiUwpApp.exe

Click to jump to process

System Behavior

Analysis Process: NcsiUwpApp.exe PID: 1092 Parent PID: 5768

Function Logs

General

Start time:	00:23:24
Start date:	21/11/2020
Path:	C:\Users\user\Desktop\NcsiUwpApp.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\NcsiUwpApp.exe'
Imagebase:	0x7ff61b7e0000
File size:	96568 bytes
MD5 hash:	93472F82FF675DBCEED9ADC8556CD0BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: NcsiUwpApp.exe PID: 1092 Parent PID: 5768 NcsiUwpApp.exeCOMMON

Executed Functions

Non-executed Functions

Function 00007FF61B7EDC74, Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF61B7EDC90
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61B7EDCB4
RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDCBD
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDCD7
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDD18
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61B7EDD4B
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF61B7EDD6C
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF61B7EDD8D
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF61B7EDD98

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 4e0530cd223d7ede65affbea89ad23655a0abecc2f66717845958469fbc5f07a
Instruction ID: e26df7540bb164efea246e60a891db26d8a2d2add69b96ffff24ef3e23f326e2
Opcode Fuzzy Hash: 4e0530cd223d7ede65affbea89ad23655a0abecc2f66717845958469fbc5f07a
Instruction Fuzzy Hash: EB312C72609E818AEB609F65E8403ED7364FB88B54F44543ADA4D87BA8EF38D64CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EDA14, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00000000,00007FF61B7EDB4D,?,?,?,?,?,?,00007FF61B7E40ED), ref: 00007FF61B7EDA1D
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF61B7EDB4D,?,?,?,?,?,?,00007FF61B7E40ED), ref: 00007FF61B7EDA35
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF61B7EDB4D,?,?,?,?,?,?,00007FF61B7E40ED), ref: 00007FF61B7EDA3E
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FF61B7EDB4D,?,?,?,?,?,?,00007FF61B7E40ED), ref: 00007FF61B7EDA57

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: 35f43aa2f605812a11a18a1275b82aaf348e4ccebad990fd5eacd66405b8cae8
Instruction ID: 06c41da5d4ad31ebdce17eb0f05ca3948ce815f12d537541d5af55428bb8403c
Opcode Fuzzy Hash: 35f43aa2f605812a11a18a1275b82aaf348e4ccebad990fd5eacd66405b8cae8
Instruction Fuzzy Hash: CEF0A561E09E428AF7146BA2A8152BC2761AF4CF65F002038C91ECA6B1DE7D758D8300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E1B00, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 492COMMON

Download Yara Rule

Strings

Windows.UI.Xaml.IApplicationOverrides, xrefs: 00007FF61B7E20A5

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID:
String ID: Windows.UI.Xaml.IApplicationOverrides
API String ID: 0-290936919
Opcode ID: dd7f8608336ee746fd08823a7bb63644a5ffb9e213542a1517776fec25261d05
Instruction ID: 440f3a5c4a82c819c29d311ed385858aba3373d8e4748dfcd01c5f1b4deb264f
Opcode Fuzzy Hash: dd7f8608336ee746fd08823a7bb63644a5ffb9e213542a1517776fec25261d05
Instruction Fuzzy Hash: 4FF19CA2728E4A81EE10DB22E4522ED63A1FF8DFA4F556136EA4D87774DF2CD50C8700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EDE58, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fd21214090f035186b9b139135794767e8e5fd84a52246a3a4dc4da2542ae
Instruction ID: 493c83cbd31c4d1cc90aeafdff507bbc9885366c3b6dd0e0349a59ca561e3c27
Opcode Fuzzy Hash: 6a4fd21214090f035186b9b139135794767e8e5fd84a52246a3a4dc4da2542ae
Instruction Fuzzy Hash: 08A0026190CC02D4F684EB16E8540F83371FF68B20B502431D00DC54B09F7DB54DC300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E4100, Relevance: 49.1, APIs: 27, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B
Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E42AD
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E42BD
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E42D9

Strings

Unknown exception, xrefs: 00007FF61B7E42E5

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$std::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 2897136269-410509341
Opcode ID: 3fa0c3c2504b6422a44dd8a9d761c6ec397ddbf8379faed2f51c0ac9b69fe675
Instruction ID: a4fd94990706c16bbdc4c8e2a10261456367db3bc73718748838e2d34f568166
Opcode Fuzzy Hash: 3fa0c3c2504b6422a44dd8a9d761c6ec397ddbf8379faed2f51c0ac9b69fe675
Instruction Fuzzy Hash: 9F51F922E28D17A4FF44EB61C8911FC2375AF5CB24F902436D61DD68BA9E2CEA4CC355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7ED1E0, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF61B7ED205
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61B7ED213
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61B7ED229
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61B7ED246
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61B7ED25A
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0 ref: 00007FF61B7ED26E
CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF61B7ED307

Part of subcall function 00007FF61B7EDC74: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FF61B7EDC90
Part of subcall function 00007FF61B7EDC74: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61B7EDCB4
Part of subcall function 00007FF61B7EDC74: RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDCBD
Part of subcall function 00007FF61B7EDC74: RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDCD7
Part of subcall function 00007FF61B7EDC74: RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FF61B7EDD18
Part of subcall function 00007FF61B7EDC74: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF61B7EDD4B
Part of subcall function 00007FF61B7EDC74: IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FF61B7EDD6C
Part of subcall function 00007FF61B7EDC74: SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF61B7EDD8D
Part of subcall function 00007FF61B7EDC74: UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF61B7EDD98

DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF61B7ED34B
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF61B7ED35D

Strings

WakeAllConditionVariable, xrefs: 00007FF61B7ED264
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF61B7ED20C
kernel32.dll, xrefs: 00007FF61B7ED222
InitializeConditionVariable, xrefs: 00007FF61B7ED23C
SleepConditionVariableCS, xrefs: 00007FF61B7ED250

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: AddressHandleProc$CriticalExceptionFilterModulePresentSectionUnhandledmemset$CaptureCloseContextCountCreateDebuggerDeleteEntryEventFeatureFunctionInitializeLookupProcessorSpinUnwindVirtual
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2631387040-1714406822
Opcode ID: e22f50f4e5cdb431a2e2d1511c0f3a62494a60372983508e549719af35dc5a03
Instruction ID: 480e854bf5838d558aa11b3f4a1539a0375906dc44956705b1ae37366166e23d
Opcode Fuzzy Hash: e22f50f4e5cdb431a2e2d1511c0f3a62494a60372983508e549719af35dc5a03
Instruction Fuzzy Hash: 1B410E21A19F0281FA14AB6AE8502B923A1BF4DF71F453535D95EDBBB4EF2CE50D8304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EBDA4, Relevance: 19.7, APIs: 13, Instructions: 247COMMON

Download Yara Rule

APIs

WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBDDB
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBDF2
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBE26
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBE40
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBE50
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBE64
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBE91
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBEA5
wcsrchr.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EBEB3
WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EC03D
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EC057
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EC06D

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EC0D1

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_StringWindows$Buffer$Delete$CreateDuplicatestd::bad_alloc::bad_allocwcsrchr
String ID:
API String ID: 3483459921-0
Opcode ID: 98891cc63ec5cd683ef5580879645d49354593d7ade8c052e6c79a42dfae21f8
Instruction ID: 266f86190d4e49ddc3ca7f61de8ac4e982b601ae42185ae020f4aa90f20b184e
Opcode Fuzzy Hash: 98891cc63ec5cd683ef5580879645d49354593d7ade8c052e6c79a42dfae21f8
Instruction Fuzzy Hash: 9AB18A26B09E4286EB10DF66D4803FC67A1EF88FA8F455536DA0D877B9DE38E549C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EC6B0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EC24C), ref: 00007FF61B7EC73A
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EC24C), ref: 00007FF61B7EC743
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7EC75E
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF61B7EC76E
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7EC782

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

bad_weak_ptr, xrefs: 00007FF61B7EC890
Windows.Foundation.PropertyValue, xrefs: 00007FF61B7EC733

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$ActivationFactory$CreateIncrementReferenceStringUsageWindows_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.Foundation.PropertyValue$bad_weak_ptr
API String ID: 393122345-1501628194
Opcode ID: 169ba1424dd5b948e026330ead42a22ceada2844c18fc4bcfd91374bab688e1b
Instruction ID: 613204e745e67208904fc533fd2fce5a9f888432818968c2bcdbcf2e4e91cdf5
Opcode Fuzzy Hash: 169ba1424dd5b948e026330ead42a22ceada2844c18fc4bcfd91374bab688e1b
Instruction Fuzzy Hash: 02511826A19E0694FB01DB62D8843ED2770BF4CBA4F95243ACA1D96AB5DF3CA44DC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E6E08, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E6E83
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7E6E8C
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7E6EA7
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF61B7E6EB7
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7E6ECB

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

Windows.UI.Xaml.Controls.Page, xrefs: 00007FF61B7E6E7C

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$ActivationFactory$CreateIncrementReferenceStringUsageWindows_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.UI.Xaml.Controls.Page
API String ID: 393122345-1116024634
Opcode ID: 2006b1037a5fbddd905f88af84389cfe591288e1cad48e3359ab068e86ce131e
Instruction ID: 7fb7d2c4614ce1cf7eb567da04e4da6360780720ea6bd06d060c2ce134fe4d16
Opcode Fuzzy Hash: 2006b1037a5fbddd905f88af84389cfe591288e1cad48e3359ab068e86ce131e
Instruction Fuzzy Hash: DF510D25A09E06D8EB51DB66D8543FC33A0EF48B68F452836EA0D966B5DF38E54DC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7ECB0C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF61B7E4449), ref: 00007FF61B7ECB93
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF61B7E4449), ref: 00007FF61B7ECB9C
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7ECBB7
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF61B7ECBC7
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7ECBDB

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

Windows.Foundation.Uri, xrefs: 00007FF61B7ECB8C

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$ActivationFactory$CreateIncrementReferenceStringUsageWindows_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.Foundation.Uri
API String ID: 393122345-1377045113
Opcode ID: 4cd1e30a508eeeb0368543735fbff89282497227217cb28b2c4a21be68357675
Instruction ID: 7c40476749f6fb431c3881e5fe888f027cdd91af7b87ff4b96870e2547c83ce2
Opcode Fuzzy Hash: 4cd1e30a508eeeb0368543735fbff89282497227217cb28b2c4a21be68357675
Instruction Fuzzy Hash: C6511765A09E0694FB01DB62E8443FD2771AF4CBA8F45243ADE1D96AB5DF3CA84DC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EB91C, Relevance: 12.3, APIs: 8, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B7EB878: WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EB8D4

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EBCEA

Part of subcall function 00007FF61B7EBCF8: WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EBD68

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: StringWindows$BufferDuplicateExceptionThrow
String ID:
API String ID: 4000850183-0
Opcode ID: f4ab40246c57c2bae601c090f96fe36e489bf4a7118d8ac30b97442f92dd921e
Instruction ID: f7a5610e6db509f6287d7738844bd262c445cba7ff595153658d426985e651fb
Opcode Fuzzy Hash: f4ab40246c57c2bae601c090f96fe36e489bf4a7118d8ac30b97442f92dd921e
Instruction Fuzzy Hash: 56C15622B09E429AEB00DBA6D4902FC27A1FF48F68B456436DA0DD77B5DF38E519C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E8418, Relevance: 12.2, APIs: 8, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61B7E8324: WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E8353

WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E8453

Part of subcall function 00007FF61B7E9970: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF61B7E774E), ref: 00007FF61B7E99B8

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E8471

Part of subcall function 00007FF61B7EA2B4: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA3BE
Part of subcall function 00007FF61B7EA2B4: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA3CE

Part of subcall function 00007FF61B7EA2B4: _o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA40B
Part of subcall function 00007FF61B7EA2B4: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA415
Part of subcall function 00007FF61B7EA2B4: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA425

Part of subcall function 00007FF61B7EA6F4: WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,00000000,?,00000000,00000050,?,00000000,?,00007FF61B7E8613), ref: 00007FF61B7EA797

WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E84D6
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E850F
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E8531
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E85B4
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E85DC
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000151D0,?), ref: 00007FF61B7E85EC

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: StringWindows$memcpy$BufferDelete$Creatememmove$Duplicate_o__invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3194545885-0
Opcode ID: e13f1dedd2237b6511b190a6e31eb2bebd10d17cd41058570bc21a804c98d841
Instruction ID: 394d461a7f44e3f38d3a5ea65678a2fd451fa44d69abc8c6ce6e0c79292588b2
Opcode Fuzzy Hash: e13f1dedd2237b6511b190a6e31eb2bebd10d17cd41058570bc21a804c98d841
Instruction Fuzzy Hash: 60614F62B09E41A9EB10EF72D4501EC63A1FF48B98F445532DE0D97A7AEF38D619C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7ED88C, Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF61B7ED89B
__scrt_release_startup_lock.LIBCMT ref: 00007FF61B7ED91E
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF61B7ED96C
__scrt_get_show_window_mode.LIBCMT ref: 00007FF61B7ED971
_o__get_wide_winmain_command_line.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7ED979
__scrt_is_managed_app.LIBCMT ref: 00007FF61B7ED994
_o__cexit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7ED9A2
_o__exit.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7ED9F7

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: __scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_o__cexit_o__exit_o__get_wide_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 2871097416-0
Opcode ID: eeaabb6064b33038b8f157fe402a9ed442f3d7b518e50f5e5456c48076a2d1c1
Instruction ID: 9c3702b652d6ef34f09f31caae7c8356f964147e1d715a48f224523b32987d57
Opcode Fuzzy Hash: eeaabb6064b33038b8f157fe402a9ed442f3d7b518e50f5e5456c48076a2d1c1
Instruction Fuzzy Hash: 9F311821A0DE4385FB54AB6A98522FD12919F4DFA4F447834E95ECB6F3DE2CA54C8301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EE70C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RoOriginateLanguageException.API-MS-WIN-CORE-WINRT-ERROR-L1-1-1 ref: 00007FF61B7EE75E
GetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE767
SetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE77D
#6.OLEAUT32 ref: 00007FF61B7EE7AB
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EE7C3

Strings

W, xrefs: 00007FF61B7EE74A

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ErrorInfoRestricted$DeleteExceptionLanguageOriginateStringWindows
String ID: W
API String ID: 4011663351-655174618
Opcode ID: 1513e9f0de528e437c372a965186e24b6f52541fa43be60080d7dd816d8b8949
Instruction ID: 02bbcccf10acff5de792af23f2811c61a27508cccfbc79e0b155bea926becf21
Opcode Fuzzy Hash: 1513e9f0de528e437c372a965186e24b6f52541fa43be60080d7dd816d8b8949
Instruction Fuzzy Hash: 12219262601E06C9EB85DF22D4913FC2761FF48BD8F046431FA0E8B6A9CF29D4898340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7ECD70, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EB856), ref: 00007FF61B7ECDFF
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EB856), ref: 00007FF61B7ECE08
_o___std_exception_destroy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7ECF5D

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

Windows.UI.Xaml.Application, xrefs: 00007FF61B7ECDF8

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$CreateReferenceStringWindows_o___std_exception_destroy_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.UI.Xaml.Application
API String ID: 629628027-2247317141
Opcode ID: a56d07ef41b0a9ef6034f3d6cebd4593c2399113f07e99c29152f6d25a816563
Instruction ID: dab09c4c18d3acb35771f5ea455372cf87c94f7b61d1047bb457e0135f8e33d5
Opcode Fuzzy Hash: a56d07ef41b0a9ef6034f3d6cebd4593c2399113f07e99c29152f6d25a816563
Instruction Fuzzy Hash: DE511326B09E0688FB009B66E8852ED2761BF4CFA4F456436DE1D97BB5DF3CE4498340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E218C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7E2210
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7E222B
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF61B7E223B
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7E224F

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

Windows.UI.Xaml.Application, xrefs: 00007FF61B7E2200

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$ActivationFactory$IncrementUsage_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.UI.Xaml.Application
API String ID: 3679345456-2247317141
Opcode ID: 5841108226722660b4814c073d499faf99cdfbcf0095a197813c15fcf8871462
Instruction ID: 3416f6bd2bdf8ac487fedf92e6e87dd5b02428c6953e61438ab0ba94aaa5e145
Opcode Fuzzy Hash: 5841108226722660b4814c073d499faf99cdfbcf0095a197813c15fcf8871462
Instruction Fuzzy Hash: 2D511922A09E0698FB51DB62D8943FC23A0FF4CB68F552436DA1D96AB5DF38E54DC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E7EE8, Relevance: 7.7, APIs: 5, Instructions: 191COMMON

Download Yara Rule

APIs

WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF61B7EBA88), ref: 00007FF61B7E7FDA

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Part of subcall function 00007FF61B7E8C28: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,00000000,00007FF61B7E80C5,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF61B7E8C6A

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF61B7EBA88), ref: 00007FF61B7E80D1
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF61B7EBA88), ref: 00007FF61B7E80EA
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF61B7EBA88), ref: 00007FF61B7E8103
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF61B7EBA88), ref: 00007FF61B7E8119

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$StringWindows$Delete$Duplicatestd::bad_alloc::bad_alloc
String ID:
API String ID: 929342611-0
Opcode ID: a3d632c5711d706eb318628c4ce56d467cdc1385f8d26de70991971556b17934
Instruction ID: 221a8a325d8c417a1e7a8d5dbdda56479439f054b18b94811fe7851434a669c4
Opcode Fuzzy Hash: a3d632c5711d706eb318628c4ce56d467cdc1385f8d26de70991971556b17934
Instruction Fuzzy Hash: 8691F232A05F4186EA459F26E8803AC73A4FF48FA4F155139DA8D87771DF39E86AD340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EA2B4, Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA3BE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA3CE
_o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA40B
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA415
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(00000000,00000050,000151D0,00000000,?,00007FF61B7E84CF), ref: 00007FF61B7EA425

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: memcpy$_o__invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3771710400-0
Opcode ID: a09b4bbc5828ddf4b6ab4a8a1879718560b45d7aec6634d4adb72128df8604ed
Instruction ID: b57afb339289859ba3f0384ad2908d3b48861ddbf10430da3c90c9b5640b703e
Opcode Fuzzy Hash: a09b4bbc5828ddf4b6ab4a8a1879718560b45d7aec6634d4adb72128df8604ed
Instruction Fuzzy Hash: 9B51BDA2B04E4591EE24AB2AD5442AD6361EF49FF4F441631DE6D8B7F5DE3CD04A8300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E8654, Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF61B7EC402), ref: 00007FF61B7E86C4
WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF61B7EC402), ref: 00007FF61B7E86ED
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E87C3
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E87D6
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E87E9

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: StringWindows$Delete$Duplicate
String ID:
API String ID: 1400354366-0
Opcode ID: 7798d7dd15dd06672e63ab08ea4ab11ba30e2e1332c124448b48cf47bc0c8c39
Instruction ID: 2998a36f7d980dcf8fe13dd829ef0cd120e1927292cfdda6f54a1590b0761c75
Opcode Fuzzy Hash: 7798d7dd15dd06672e63ab08ea4ab11ba30e2e1332c124448b48cf47bc0c8c39
Instruction Fuzzy Hash: C8515822A19F4582EB409F6AE4403AD63A0FF88FA8F145135DA4D877B5DF3CD859C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EE7DA, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

RoOriginateLanguageException.API-MS-WIN-CORE-WINRT-ERROR-L1-1-1 ref: 00007FF61B7EE82C
GetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE835
SetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE84B
#6.OLEAUT32 ref: 00007FF61B7EE879
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EE891

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ErrorInfoRestricted$DeleteExceptionLanguageOriginateStringWindows
String ID:
API String ID: 4011663351-0
Opcode ID: 0eef2932ee7a7ddac940385b150edf3d258c8c3ac301e1530084c39db2a2a4b5
Instruction ID: 31f8e812e631e33f4fe316c473c6e16a7e5f70d0eee9bfb005504e4f51ef2b8a
Opcode Fuzzy Hash: 0eef2932ee7a7ddac940385b150edf3d258c8c3ac301e1530084c39db2a2a4b5
Instruction Fuzzy Hash: 0C214D66605E0689EB85DF26C4913FC2761FF58BD8F057435FA0E8BAA9CF29D489C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EE63E, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

RoOriginateLanguageException.API-MS-WIN-CORE-WINRT-ERROR-L1-1-1 ref: 00007FF61B7EE690
GetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE699
SetRestrictedErrorInfo.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0 ref: 00007FF61B7EE6AF
#6.OLEAUT32 ref: 00007FF61B7EE6DD
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7EE6F5

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ErrorInfoRestricted$DeleteExceptionLanguageOriginateStringWindows
String ID:
API String ID: 4011663351-0
Opcode ID: 7efdc654d43176fd832a407fbe7f6d492587e69223c8b394306dbf3696a7cf58
Instruction ID: cf96ab98b5841b7b32e523870113d7c8756241b674899e1644094a1b85b634c7
Opcode Fuzzy Hash: 7efdc654d43176fd832a407fbe7f6d492587e69223c8b394306dbf3696a7cf58
Instruction Fuzzy Hash: 34213E62605E0689EB85DF26C4913FC2761EF48BD8F156535FA0E8BAA9CF29D4898340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EC8B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF61B7EC94F
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF61B7EC958

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E42AD
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E42BD
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E42D9

Strings

Windows.UI.Xaml.Application, xrefs: 00007FF61B7EC948

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$CreateReferenceStringWindows_o_terminatestd::bad_alloc::bad_alloc
String ID: Windows.UI.Xaml.Application
API String ID: 4026571031-2247317141
Opcode ID: c7154907ae05484fcff9b181e5d1dbff3efa99d4c345eee33fab5a852ef15c70
Instruction ID: 10a2911eade32fc07a40f889aa7b522c188fa500a7d15fa616f9f1e7d822efb3
Opcode Fuzzy Hash: c7154907ae05484fcff9b181e5d1dbff3efa99d4c345eee33fab5a852ef15c70
Instruction Fuzzy Hash: C6512866A0AE06A5EB10DF66D8802ED2761FF4CFA8F456436DA1C97774DF38E449C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EB57C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FF61B7EB587

Part of subcall function 00007FF61B7ED008: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,00007FF61B7EB58C,?,?,?,?,00007FF61B7EB6C9,00000000,?), ref: 00007FF61B7ED025
Part of subcall function 00007FF61B7ED008: _o___std_exception_copy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EB58C), ref: 00007FF61B7ED050

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,00007FF61B7EB6C9,00000000,?,?,00007FF61B7E99C8,?,?,?), ref: 00007FF61B7EB667
_o__invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,00007FF61B7EB6C9,00000000,?,?,00007FF61B7E99C8,?,?,?), ref: 00007FF61B7EB6BD

Strings

string too long, xrefs: 00007FF61B7EB580

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ExceptionThrowXinvalid_argument_o___std_exception_copy_o__invalid_parameter_noinfo_noreturnmemcpystd::_
String ID: string too long
API String ID: 3744479781-2556327735
Opcode ID: 1fad917f55479e75b9757f70caccdb87e437959e5f17fe5e472de47b1cb41201
Instruction ID: fa42f81d08d5e54049c86f5f2b5fa34085672316e74ea3b7cc8049c1e48c3148
Opcode Fuzzy Hash: 1fad917f55479e75b9757f70caccdb87e437959e5f17fe5e472de47b1cb41201
Instruction Fuzzy Hash: 7E31DEA2705A4990ED18DA1299942FC5661AF08FF0F446B30DE3E8A7F1DF7CE4898310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7ECCDC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7ECD15
CoIncrementMTAUsage.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF61B7ECD26
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF61B7ECD3A

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EB856), ref: 00007FF61B7ECDFF
_o_terminate.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61B7EB856), ref: 00007FF61B7ECE08
_o___std_exception_destroy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7ECF5D

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$ActivationFactory$CreateIncrementReferenceStringUsageWindows_o___std_exception_destroy_o_terminatestd::bad_alloc::bad_alloc
String ID:
API String ID: 3005855516-0
Opcode ID: 761d0de713aea829b48185cce522a2edd42812f7d5e3bf43170d8d93d35e9340
Instruction ID: 717507997cbf29e20e8f2e9fbd8bd54d0f870883aa34e501acc9bc84c4ced7dd
Opcode Fuzzy Hash: 761d0de713aea829b48185cce522a2edd42812f7d5e3bf43170d8d93d35e9340
Instruction Fuzzy Hash: 0441A926B08E4681EB10DB22E8512AD2360FF8CFA4F406536EE8C87B75CF3CE4498700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E9830, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E986D
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E98E4

Strings

Windows.UI.Xaml.Markup.IXamlType, xrefs: 00007FF61B7E98D5

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: StringWindows$CreateDuplicate
String ID: Windows.UI.Xaml.Markup.IXamlType
API String ID: 492213260-1176331606
Opcode ID: 1f0ba3ae6aa6c4d5771abc01059157c4521839b0402569d6f0ea41fab9c4acb9
Instruction ID: 8c2fb8834c50db76154ea3f7f3f3f6336ac53a126b495e640cd7a7f73aecf8be
Opcode Fuzzy Hash: 1f0ba3ae6aa6c4d5771abc01059157c4521839b0402569d6f0ea41fab9c4acb9
Instruction Fuzzy Hash: 632192A2B18F0582EB208B21E4523AD63A0FF8CB98F445534DA8DC7775DF3CE1598B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7E8240, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

WindowsDuplicateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E828B
WindowsCreateString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF61B7E82E6

Part of subcall function 00007FF61B7E4100: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61B7E4115
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4125
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4137
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4147
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4159
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4169
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E417B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E418B
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E419D
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41AD
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41BF
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41CF
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E41E1
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E41F1
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4203
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4213
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4225
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4235
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4247
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4257
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E4269
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E4279
Part of subcall function 00007FF61B7E4100: Concurrency::details::_NonReentrantBlockingLock::_NonReentrantBlockingLock.LIBCMT ref: 00007FF61B7E428B
Part of subcall function 00007FF61B7E4100: _CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,00007FF61B7E2399), ref: 00007FF61B7E429B

Strings

Windows.UI.Xaml.Markup.IXamlType, xrefs: 00007FF61B7E82DF

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: BlockingReentrant$ExceptionThrow$Concurrency::details::_LockLock::_$StringWindows$CreateDuplicatestd::bad_alloc::bad_alloc
String ID: Windows.UI.Xaml.Markup.IXamlType
API String ID: 3575171605-1176331606
Opcode ID: 638626e308b72e9076f1e95c5361e3d7f05b4b58ceaa7a9a2113112d538546e7
Instruction ID: 76cefcc879b94ac4409b6b97d714524cf164d5f49753e54fd9639d8e5893e113
Opcode Fuzzy Hash: 638626e308b72e9076f1e95c5361e3d7f05b4b58ceaa7a9a2113112d538546e7
Instruction Fuzzy Hash: 0B217C61A08F4682EB20DB26E8553BD23A4BF8CB64F402235D99DC27B6DF3CE5088704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF61B7EEBB6, Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EEBD0

Part of subcall function 00007FF61B7EACB0: WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0(?,?,?,00007FF61B7EB3B2,?,?,00000098,00007FF61B7EB4F5,?,00000098,00000020,00000098,?,?,?,00007FF61B7EAC96), ref: 00007FF61B7EACC6

_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EEBF0
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EEC10
_CxxThrowException.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF61B7EEC30

Memory Dump Source

Source File: 00000000.00000002.212705854.00007FF61B7E1000.00000020.00020000.sdmp, Offset: 00007FF61B7E0000, based on PE: true

Associated: 00000000.00000002.212700445.00007FF61B7E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212719453.00007FF61B7EF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212723924.00007FF61B7F0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.212730866.00007FF61B7F5000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.212734797.00007FF61B7F7000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff61b7e0000_NcsiUwpApp.jbxd

Similarity

API ID: ExceptionThrow$DeleteStringWindows
String ID:
API String ID: 1172633471-0
Opcode ID: e731f10ff1cc2495020532bba2b6f64a32d016e6f4bb03180d4cc6b38d716564
Instruction ID: e630d3eeb9be8b52fbd3af787c6f754e095dd68dc033d8ae326eebbc4d41ed6c
Opcode Fuzzy Hash: e731f10ff1cc2495020532bba2b6f64a32d016e6f4bb03180d4cc6b38d716564
Instruction Fuzzy Hash: D5018866B18E418AE348FF3398020FF13559F88B80F04EC35FA4D866B6DE28D5564340

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NcsiUwpApp.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: NcsiUwpApp.exe PID: 1092 Parent PID: 5768

General

File Activities

File Opened

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Process Activities

Process Queried

Process Information Set

Memory Activities