Edit tour

Windows Analysis Report
8xfH5IUIWU.exe

Overview

General Information

Sample name:	8xfH5IUIWU.exe renamed because original name is a hash value
Original sample name:	40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081.exe
Analysis ID:	1502258
MD5:	a2c74b5aad6f1e7dc6b11a61c5ae2c46
SHA1:	431faa2771a4090ea286cc6d6ecf77e32a4cf340
SHA256:	40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

8xfH5IUIWU.exe (PID: 2124 cmdline: "C:\Users\user\Desktop\8xfH5IUIWU.exe" MD5: A2C74B5AAD6F1E7DC6B11A61C5AE2C46)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: 8xfH5IUIWU.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423AB FindFirstFileW,FindClose,	0_2_00007FF7A74423AB
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423B3 FindFirstFileW,FindClose,	0_2_00007FF7A74423B3
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A744239E FindFirstFileW,FindClose,	0_2_00007FF7A744239E
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423C0 FindFirstFileW,FindClose,	0_2_00007FF7A74423C0

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 4x nop then dec rdx

0_2_00007FF7A74793D0

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A7444DEA InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF7A7444DEA

Source: 8xfH5IUIWU.exe	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: 8xfH5IUIWU.exe	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):

System Summary

PE file has nameless sections

Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7503240 NtReadFile,	0_2_00007FF7A7503240
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7503300 NtCreateFile,	0_2_00007FF7A7503300
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7503060 NtCreateSection,	0_2_00007FF7A7503060
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7502F90 NtMapViewOfSection,	0_2_00007FF7A7502F90
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A76B9DA8 NtReadFile,	0_2_00007FF7A76B9DA8

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A7441E8D: DeviceIoControl,OpenProcess,TerminateProcess,

0_2_00007FF7A7441E8D

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74450D8	0_2_00007FF7A74450D8
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7443F9B	0_2_00007FF7A7443F9B
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7448792	0_2_00007FF7A7448792
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7441616	0_2_00007FF7A7441616
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A744A22A	0_2_00007FF7A744A22A
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A745124B	0_2_00007FF7A745124B
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74481B2	0_2_00007FF7A74481B2
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A744202A	0_2_00007FF7A744202A
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7455FB0	0_2_00007FF7A7455FB0
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7441E8D	0_2_00007FF7A7441E8D

Source: 8xfH5IUIWU.exe

Static PE information: Number of sections : 12 > 10

Source: 8xfH5IUIWU.exe

Static PE information: Section: ZLIB complexity 0.9956341911764706

Source: classification engine

Classification label: mal88.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A7443F9B GetEnvironmentVariableW,GetFileAttributesW,GetEnvironmentVariableW,GetFileAttributesW,CreateToolhelp32Snapshot,Process32FirstW,_wcsicmp,Process32NextW,_wcsicmp,

0_2_00007FF7A7443F9B

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: 1383544257--904687418. Number: 0

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

File read: C:\Users\user\Desktop\8xfH5IUIWU.exe

Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: 8xfH5IUIWU.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 8xfH5IUIWU.exe

Static file information: File size 3241472 > 1048576

Source: 8xfH5IUIWU.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x2c1a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Unpacked PE file: 0.2.8xfH5IUIWU.exe.7ff7a7440000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:R;Unknown_Section10:EW;Unknown_Section11:EW;

Source: 8xfH5IUIWU.exe

Static PE information: real checksum: 0x2fb10 should be: 0x31f037

Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:
Source: 8xfH5IUIWU.exe	Static PE information: section name:

Source: 8xfH5IUIWU.exe	Static PE information: section name: entropy: 7.992733295273297
Source: 8xfH5IUIWU.exe	Static PE information: section name: entropy: 7.808705679598211
Source: 8xfH5IUIWU.exe	Static PE information: section name: entropy: 7.73306314545859

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: DeviceIoControl,OpenProcess,TerminateProcess, \\.\PhysicalDrive0

0_2_00007FF7A7441E8D

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: DeviceIoControl,OpenProcess,TerminateProcess, \\.\PhysicalDrive0

0_2_00007FF7A7441E8D

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: QEMU HARDDISK QEMU HARDDISK

0_2_00007FF7A7441E8D

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE#
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXEG
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $SANDBOXIERPCSS.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXES
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIESVC.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEQ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEI
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXEA\\CU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $BEHAVIORDUMPER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXENS\PICTURES\
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXEK
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE+
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXEZ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE_
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEM
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFF EXPLORER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE&
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXEW
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE$
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022103652.000001F378B0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXEUIWU.EXE,
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NETSNIFFER.EXEO
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .SANDBOXIEDCOMLAUNCH.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE]
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE`
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "PROC_ANALYZER.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXEC
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TCPDUMP.EXEZ
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $APIMONITOR-X86.EXETURES\
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "PROCESSHACKER.EXECU
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXET
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXEW
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Window / User API: threadDelayed 665

Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

API coverage: 6.0 %

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe TID: 6588

Thread sleep count: 665 > 30

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423AB FindFirstFileW,FindClose,	0_2_00007FF7A74423AB
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423B3 FindFirstFileW,FindClose,	0_2_00007FF7A74423B3
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A744239E FindFirstFileW,FindClose,	0_2_00007FF7A744239E
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74423C0 FindFirstFileW,FindClose,	0_2_00007FF7A74423C0

Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: basic_string::appendcannot create std::vector larger than max_size()Stop reversing the programReconsider your life choicesAnd go touch some grass\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKvector::_M_range_insert
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <hyper-v guest shutdown servicell
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmmemctl.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >hyper-v guest service interfacel!
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: QEMU HARDDISK
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V (guest)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A68B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #vmware physical disk helper service
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe-
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuser.exe)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exeE
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe,
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeq
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fvmware physical disk helper service
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe*
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exet
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp, 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fvmware physical disk helper servicexe\windows\history\
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmscsi.exe}
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37AA6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Bhyper-v powershell direct servicel
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022068587.000001F378AC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga`j+{
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A74516E5 ??3@YAXPEAX@Z,IsDebuggerPresent,RaiseException,

0_2_00007FF7A74516E5

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7441131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit,	0_2_00007FF7A7441131
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A7450708 RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,TlsGetValue,TlsSetValue,	0_2_00007FF7A7450708
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	Code function: 0_2_00007FF7A74706B0 SetUnhandledExceptionFilter,	0_2_00007FF7A74706B0

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A74450D8 ExitProcess,CreateMutexA,GetLastError,CreateProcessA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualProtect,QueueUserAPC,ResumeThread,

0_2_00007FF7A74450D8

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	NtSetInformationThread: Indirect: 0x7FF7A74B6B0D	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	NtProtectVirtualMemory: Indirect: 0x7FF7A7504AAB	Jump to behavior
Source: C:\Users\user\Desktop\8xfH5IUIWU.exe	NtProtectVirtualMemory: Indirect: 0x7FF7A7F08EBA	Jump to behavior

Source: 8xfH5IUIWU.exe, 00000000.00000002.2023056255.000001F37AE80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progman service
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023056255.000001F37AE80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: program manager Chromeer
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shell_traywnd

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A745BAD0 cpuid

0_2_00007FF7A745BAD0

Source: C:\Users\user\Desktop\8xfH5IUIWU.exe

Code function: 0_2_00007FF7A7451870 GetSystemTimeAsFileTime,

0_2_00007FF7A7451870

Source: 8xfH5IUIWU.exe, 00000000.00000002.2022565810.000001F37A699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procdump.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2023145757.000001F37B2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: spideragent.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fsaua.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: 8xfH5IUIWU.exe, 00000000.00000002.2022909989.000001F37A9A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Bootkit	11 Process Injection	33 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Process Injection	LSASS Memory	441 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8xfH5IUIWU.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://enigmaprotector.com/taggant/spv.crl0	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Avira URL Cloud	safe
https://gcc.gnu.org/bugs/):	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Virustotal		Browse
https://gcc.gnu.org/bugs/):	0%	Virustotal		Browse
https://enigmaprotector.com/taggant/spv.crl0	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://gcc.gnu.org/bugs/):	8xfH5IUIWU.exe, 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://enigmaprotector.com/taggant/spv.crl0	8xfH5IUIWU.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://enigmaprotector.com/taggant/user.crl0	8xfH5IUIWU.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502258
Start date and time:	2024-08-31 21:09:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8xfH5IUIWU.exe renamed because original name is a hash value
Original Sample Name:	40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.9610912074285
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	8xfH5IUIWU.exe
File size:	3'241'472 bytes
MD5:	a2c74b5aad6f1e7dc6b11a61c5ae2c46
SHA1:	431faa2771a4090ea286cc6d6ecf77e32a4cf340
SHA256:	40a27408f7e3f7cd6938a4d7dd890d3f86001f9e2ef6090ba6a00e4dfc4ca081
SHA512:	41c0857b61bc765b5ac2c96b1909e29703afb8a11225e822747a52349336c9a4788d1d8867f6a45308f327057f59bf1044c8ecc2c58220d75e2e94d083862888
SSDEEP:	49152:CLaedx9/RYdZf/k4x+Nx0HLjCKkpC2bRw5To62pUkGTtfTzUnP6:sMHkPxavC9L2hoRfGTt+
TLSH:	2FE53343FA4D22C8E292687154A5E122DF9725813FFB13419B1F579C31CB8B68B9F34A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.......................@............................. ............`...@...... ........ ...... .....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140e6d1ec
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c1fbf380722f62e9d13f77bc10915a89

Entrypoint Preview

Instruction
jmp 00007F5674BA3B6Ah
add byte ptr [ebp+eax+00h], bl
add byte ptr [eax], al
add byte ptr [eax], al
push eax
push ecx
push edx
push ebx
push ebp
push esi
push edi
inc ecx
push eax
inc ecx
push ecx
inc ecx
push edx
inc ecx
push ebx
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
pushfd
dec eax
sub esp, 00000008h
stmxcsr dword ptr [esp]
call 00007F5674BA3B65h
pop ebp
dec eax
sub ebp, 00000033h
dec eax
sub ebp, 00E6D1ECh
dec eax
sub esp, 00000020h
jmp 00007F5674BA3B69h
or dword ptr [edi-49h], eax
push esi
dec eax
mov eax, 00E6D1ECh
dec eax
add eax, ebp
dec eax
add eax, 00000084h
dec eax
mov ecx, 0000060Bh
dec eax
mov edx, 71FA03FFh
xor byte ptr [eax], dl
dec eax
inc eax
dec eax
dec ecx
jne 00007F5674BA3B58h
jmp 00007F5674BA3B69h
int 74h
jp 00007F5674BA3BA7h
mov bh, 76h
push ss
je 00007F5674BA3BD8h
ret

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0xbb3060	0xd3b
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbb3d9c	0x2e8
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xbb49a0	0x26ed4
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbb3040	0x10
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xbb3000	0x28
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
0x1000	0x21000	0xee00	1534b42818ef35a35dca6f5687d75689	False	0.9956341911764706	data	7.992733295273297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x22000	0x2000	0x200	696a1134325787785c20aabbf456c4b5	False	0.48046875	data	4.017144721115484	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x24000	0x4000	0x1600	a83f30c0be9427fb3243383d63ece46b	False	0.9540127840909091	OpenPGP Public Key	7.808705679598211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x28000	0x4000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x2c000	0x3000	0xa00	2705e0e58e752dd8f087a2f2efb9e435	False	0.96015625	data	7.73306314545859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x2f000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x30000	0x2000	0x200	5b462360c7913045d18e88c9b4aff987	False	0.19140625	data	1.5569017803969105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x32000	0x1000	0x200	6033cfe306fbae60ba7a285973e647e4	False	0.0859375	data	0.6015377733147627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x33000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x34000	0x1000	0x400	6b3fbcf4932b652979cb995f1b8ea760	False	0.79296875	data	6.55272403501495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x35000	0xb7b000	0x44000	c4f7b4c467b0846ae063321303766699	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xbb0000	0x2c2000	0x2c1a00	ba30b3ee32f9adb945b3187634115fa5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	OleInitialize
msvcrt.dll	__C_specific_handler
WININET.dll	InternetCloseHandle

Target ID:	0
Start time:	15:09:56
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\8xfH5IUIWU.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\8xfH5IUIWU.exe"
Imagebase:	0x7ff7a7440000
File size:	3'241'472 bytes
MD5 hash:	A2C74B5AAD6F1E7DC6B11A61C5AE2C46
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.5%
Total number of Nodes:	460
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF7A74450D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 342
memoryinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00007FF7A74450FB
CreateMutexA.KERNEL32 ref: 00007FF7A74451C9
GetLastError.KERNEL32 ref: 00007FF7A74451D2
CreateProcessA.KERNEL32 ref: 00007FF7A74454FC
VirtualAllocEx.KERNEL32 ref: 00007FF7A744552B
WriteProcessMemory.KERNEL32 ref: 00007FF7A7445547
VirtualProtect.KERNEL32 ref: 00007FF7A744555C
QueueUserAPC.KERNEL32 ref: 00007FF7A744556B
ResumeThread.KERNEL32 ref: 00007FF7A7445574

Strings

@, xrefs: 00007FF7A744550A

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Process$CreateVirtual$AllocErrorExitLastMemoryMutexProtectQueueResumeThreadUserWrite
String ID: @
API String ID: 2997260034-2766056989
Opcode ID: c9dfee0022c00a0f101e23ed8fc8fd3e6d44756e734118970932e24aa76351ea
Instruction ID: 287cce47776564b2e0361ad78b6f52efd78ef5d59b5de8eaf9761eb2168e2660
Opcode Fuzzy Hash: c9dfee0022c00a0f101e23ed8fc8fd3e6d44756e734118970932e24aa76351ea
Instruction Fuzzy Hash: D5E10372A0A68297EB20AF15D801779FBA1EB51B84FD6C030DA0D477A1DF7CE846DB11

Function 00007FF7A7441131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF7A744116E
_amsg_exit.MSVCRT ref: 00007FF7A744118D
_initterm.MSVCRT ref: 00007FF7A74411AE
_initterm.MSVCRT ref: 00007FF7A74411D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A7441212
_malloc_dbg.MSVCRT ref: 00007FF7A7441244
strlen.MSVCRT ref: 00007FF7A744125C
_malloc_dbg.MSVCRT ref: 00007FF7A7441268
_cexit.MSVCRT ref: 00007FF7A74412E3

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: _initterm_malloc_dbg$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 4167734774-0
Opcode ID: f5def7a0a038ed72c2c70a7d61577592dc1a50a328b9bb233c42d826715b854f
Instruction ID: c95c73ba9a5a403b5cc421d81a445fd23d495c9976b538de7a188c8dbcaa1646
Opcode Fuzzy Hash: f5def7a0a038ed72c2c70a7d61577592dc1a50a328b9bb233c42d826715b854f
Instruction Fuzzy Hash: 7E516EA1E4B64286FB51FF65E852679A3A1BF48784F868436CD0D873B1DE3CE4429331

Function 00007FF7A7443F9B Relevance: 12.9, APIs: 8, Instructions: 877COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: _malloc_dbg$_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 1593204669-0
Opcode ID: 90b3f885854590a53720ed776d606190da0ed1b7dfbe4464046fe4ccbf83bcd9
Instruction ID: 5fe2cc726cf2abb94bfef5c091b92e5b6fde034e7837f9bcd0526c6b3462acd7
Opcode Fuzzy Hash: 90b3f885854590a53720ed776d606190da0ed1b7dfbe4464046fe4ccbf83bcd9
Instruction Fuzzy Hash: 4392E472A1A5D286EB20AF18D40177DFBA0FB55B88F9AC130C60A037A0DF3AE557D751

Function 00007FF7A7503300 Relevance: 1.6, APIs: 1, Instructions: 56
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 00007FF7A75033BA

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: cbc32dd1c763ee5ecd0ebd6ae3f4f151f1639d920806004329b1dda2cc8b0a25
Instruction ID: 9ae20fe77f92116bf01f9d47fe216816bb9463d0048dc9287d023d7e0a8b5167
Opcode Fuzzy Hash: cbc32dd1c763ee5ecd0ebd6ae3f4f151f1639d920806004329b1dda2cc8b0a25
Instruction Fuzzy Hash: 2B318176A19B80CFD750CFA9E88069D7BB4F389398B101526EF4D93B28DB38D581CB50

Function 00007FF7A7503240 Relevance: 1.5, APIs: 1, Instructions: 48
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL ref: 00007FF7A75032E6

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a01786c52720697b127a25d83a9d85298d6443b40b642374534a565a78f97def
Instruction ID: ff5a494d3684d55ffae491fb08010d3bda03c89741d4b54295855e65c2eaff8b
Opcode Fuzzy Hash: a01786c52720697b127a25d83a9d85298d6443b40b642374534a565a78f97def
Instruction Fuzzy Hash: 5621AE76A15F44DEE790CFA5E88029C7BB4F388798B501026EF8D93B28DB38C191CB50

Function 00007FF7A744FEBF Relevance: 12.1, APIs: 8, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FF7A744FED1

Part of subcall function 00007FF7A744FCD5: _calloc_dbg.MSVCRT ref: 00007FF7A744FD01

GetCurrentThreadId.KERNEL32 ref: 00007FF7A744FF09
CreateEventA.KERNEL32 ref: 00007FF7A744FF1F

Part of subcall function 00007FF7A744FD81: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744FDC1
Part of subcall function 00007FF7A744FD81: _ultoa.MSVCRT ref: 00007FF7A744FDD4
Part of subcall function 00007FF7A744FD81: OutputDebugStringA.KERNEL32 ref: 00007FF7A744FE0B
Part of subcall function 00007FF7A744FD81: abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7A744FE11

GetCurrentThread.KERNEL32 ref: 00007FF7A744FF56
DuplicateHandle.KERNEL32 ref: 00007FF7A744FF85
abort.MSVCRT ref: 00007FF7A744FF8F
GetThreadPriority.KERNEL32 ref: 00007FF7A744FF98
TlsSetValue.KERNEL32 ref: 00007FF7A744FFC1

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Thread$Current$Valueabort$CreateDebugDuplicateEventHandleOutputPriorityString_calloc_dbg_ultoa
String ID:
API String ID: 3003713025-0
Opcode ID: a61d9d2d8d11fb6f948b1d83da85a79279535a2f833a9b0ebb3d01c5994a3b1e
Instruction ID: 6276344e93fa7fc85d1ef83d6596f6d1fff3679ee7a985f3292a18dbd3e97b54
Opcode Fuzzy Hash: a61d9d2d8d11fb6f948b1d83da85a79279535a2f833a9b0ebb3d01c5994a3b1e
Instruction Fuzzy Hash: FA31B771A0774187E750EF34A805669B6A0FF45BA4F8A5235D91C477B4EF3CD442CB20

Function 00007FF7A744B9AF Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_calloc_dbg.MSVCRT ref: 00007FF7A744BA32
abort.MSVCRT(?,?,00000000,?,00007FF7A7441638), ref: 00007FF7A744BA3F
_malloc_dbg.MSVCRT ref: 00007FF7A744BABF

Part of subcall function 00007FF7A744F718: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F650

_realloc_dbg.MSVCRT ref: 00007FF7A744BA6A
_malloc_dbg.MSVCRT ref: 00007FF7A744BADB

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: _malloc_dbg$CurrentThread_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 4037631172-0
Opcode ID: cb5c8176ac3f29cbf0b090c9bff4790e59892fb4a21ba06188dce8fdd6fb2cf5
Instruction ID: 89e3fd5dfe7fea3d81d2f2e56601427b1ee35d4c0d311bbd207a08ba9a5a3b02
Opcode Fuzzy Hash: cb5c8176ac3f29cbf0b090c9bff4790e59892fb4a21ba06188dce8fdd6fb2cf5
Instruction Fuzzy Hash: 3C41BE62B0BA4296EB05FF15D8061B9A365AF04BD4FCA8431DE0D177A5EE3CE807D320

Function 00007FF7A7450A63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 00007FF7A7450B18

Strings

once %p is %d, xrefs: 00007FF7A7450B0E

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: once %p is %d
API String ID: 383729395-95064319
Opcode ID: 069a526b1ca29d6d2cd1234aed11e83b57c5bb9da3725ca1570d7859e625ba5c
Instruction ID: d05846ab594aec069f38c89b3fb34ac88dcff7a026a28452e9477748561e0ea0
Opcode Fuzzy Hash: 069a526b1ca29d6d2cd1234aed11e83b57c5bb9da3725ca1570d7859e625ba5c
Instruction Fuzzy Hash: 0F118439A0AA4645F720BF21E4016B9BB64AF54BC4FD58030EE4D07775DE3CE8428730

Non-executed Functions

Function 00007FF7A7444DEA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B9AF: _calloc_dbg.MSVCRT ref: 00007FF7A744BA32
Part of subcall function 00007FF7A744B9AF: abort.MSVCRT(?,?,00000000,?,00007FF7A7441638), ref: 00007FF7A744BA3F
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BABF

Part of subcall function 00007FF7A744B9AF: _realloc_dbg.MSVCRT ref: 00007FF7A744BA6A
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BADB

InternetOpenW.WININET ref: 00007FF7A7444EF0
InternetOpenUrlW.WININET ref: 00007FF7A7444F1B
InternetCloseHandle.WININET ref: 00007FF7A7444F41
InternetReadFile.WININET ref: 00007FF7A7444FC0
InternetCloseHandle.WININET ref: 00007FF7A7445092
InternetCloseHandle.WININET ref: 00007FF7A7445099
GetLastError.KERNEL32 ref: 00007FF7A74450A2
InternetCloseHandle.WININET ref: 00007FF7A74450B6
InternetCloseHandle.WININET ref: 00007FF7A74450BD

Strings

vector::_M_range_insert, xrefs: 00007FF7A7444FE4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Internet$CloseHandle$Open_malloc_dbg$ErrorFileLastRead_calloc_dbg_realloc_dbgabort
String ID: vector::_M_range_insert
API String ID: 264723552-1989829942
Opcode ID: 017bc6dbc77b26f7f5cccc6715b48ffd4ce5d46ff7d23ab9cfe8d0e1996e692e
Instruction ID: e1b14a792c895c69091e6f90ef254ff51085b9b41ee62f5b9c58160540a44a02
Opcode Fuzzy Hash: 017bc6dbc77b26f7f5cccc6715b48ffd4ce5d46ff7d23ab9cfe8d0e1996e692e
Instruction Fuzzy Hash: 5D81066260A78786EB60AF2AA80526AF790FF44BD4F958130DE5E077B0DE3CE447D710

Function 00007FF7A745BAD0 Relevance: 15.1, Strings: 12, Instructions: 101COMMON

Download Yara Rule

Strings

random_device::random_device(const std::string&): unsupported token, xrefs: 00007FF7A745BB77
rdrnd, xrefs: 00007FF7A745BB29
random_device::random_device(const std::string&): device not available, xrefs: 00007FF7A745BC32
Auth, xrefs: 00007FF7A745BC16
Genu, xrefs: 00007FF7A745BBC0
rdrand, xrefs: 00007FF7A745BB16
hardware, xrefs: 00007FF7A745BB4F
rdseed, xrefs: 00007FF7A745BB03
Genu, xrefs: 00007FF7A745BC0E
rand_s, xrefs: 00007FF7A745BB65
Auth, xrefs: 00007FF7A745BBC8
default, xrefs: 00007FF7A745BAE1

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: strlen
String ID: Auth$Auth$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 39653677-628424350
Opcode ID: 872e677486dcfd82242d52c130103bd2ece8de99e6215b88830f85ad13c42478
Instruction ID: 26f022017ccd9f0d8970afa7696f1347798d0e8ba13620a54e0a29e8e4afcf1e
Opcode Fuzzy Hash: 872e677486dcfd82242d52c130103bd2ece8de99e6215b88830f85ad13c42478
Instruction Fuzzy Hash: 50414B60A0E60B51FE64BF15A8912B4A2505F41780FD78139CC0E876F9EE6DEE07C33A

Function 00007FF7A7441E8D Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF7A7441F26
OpenProcess.KERNEL32 ref: 00007FF7A7441F84

Part of subcall function 00007FF7A7458080: strlen.MSVCRT ref: 00007FF7A7458095

TerminateProcess.KERNEL32 ref: 00007FF7A7441FB9

Strings

QEMU HARDDISK, xrefs: 00007FF7A7441F8F
DADY HARDDISK, xrefs: 00007FF7A7441F60
\\.\PhysicalDrive0, xrefs: 00007FF7A7441EA5

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Process$ControlDeviceOpenTerminatestrlen
String ID: DADY HARDDISK$QEMU HARDDISK$\\.\PhysicalDrive0
API String ID: 310750680-373463814
Opcode ID: c9f3093746e9c76ecf5eedd497b65db6876328f3d5b61e7279b48e2101a6ee4d
Instruction ID: bebccfa69e1a36b5cd2b25963e2c778a5d9ccfac817c348c0fc879b8b8ef0da4
Opcode Fuzzy Hash: c9f3093746e9c76ecf5eedd497b65db6876328f3d5b61e7279b48e2101a6ee4d
Instruction Fuzzy Hash: 9931E521B5E65282F760BF25B51177AE291AF84B90F865131DE4E03BB4EF3CD5078B10

Function 00007FF7A745124B Relevance: 9.1, APIs: 6, Instructions: 138sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744FCD5: _calloc_dbg.MSVCRT ref: 00007FF7A744FD01

CreateEventA.KERNEL32 ref: 00007FF7A74512B8
Sleep.KERNEL32 ref: 00007FF7A74512CF
_beginthreadex.MSVCRT ref: 00007FF7A7451373
SetThreadPriority.KERNEL32 ref: 00007FF7A74513E6
ResetEvent.KERNEL32 ref: 00007FF7A74513F0
Sleep.KERNEL32 ref: 00007FF7A7451424

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: EventSleep$CreatePriorityResetThread_beginthreadex_calloc_dbg
String ID:
API String ID: 1989753889-0
Opcode ID: f9bd57d1675830643987745c89b7ed90095948890b46850970418ca1d4964acc
Instruction ID: 8d4c847802ccc16f27f92179d72c38e31cd9ff0127f0ea002fe13e5eca24ed8f
Opcode Fuzzy Hash: f9bd57d1675830643987745c89b7ed90095948890b46850970418ca1d4964acc
Instruction Fuzzy Hash: 2F518131A0A74286E764AF74945077DB6A0EB44B64F9A4335DE2E47BF4DF38D842C710

Function 00007FF7A744A22A Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 292stringCOMMON

Download Yara Rule

APIs

_strncoll.MSVCRT ref: 00007FF7A744A274
strlen.MSVCRT ref: 00007FF7A744A2E3
strlen.MSVCRT ref: 00007FF7A744A4A8
strlen.MSVCRT ref: 00007FF7A744A4ED

Strings

_GLOBAL_, xrefs: 00007FF7A744A268

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: strlen$_strncoll
String ID: _GLOBAL_
API String ID: 3979851410-770460502
Opcode ID: 5effe14cda6150c3d789026d1830ca87b6b119f5c09e978b584deabdc8b959d7
Instruction ID: bd72565b51ad935321bedebfd05be031285dd0eaff9864dc6313d5963789d8d2
Opcode Fuzzy Hash: 5effe14cda6150c3d789026d1830ca87b6b119f5c09e978b584deabdc8b959d7
Instruction Fuzzy Hash: 69C1B472B0A7C18BFB60AF7098463EEB7A1BB04388F854135DA4D07B95DF389597A710

Function 00007FF7A7450708 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 00007FF7A745072D
RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7A7450753

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ExceptionHandlerVectored$Remove
String ID:
API String ID: 3670940754-0
Opcode ID: 30e25ca606a908c3c77ad5bf51a2b4120e00b8f6cb6c01133260b5ce20f67392
Instruction ID: 36fd5c98a018b007faadd793dda1634aab854f526a2d27d7d319491cc6e4594e
Opcode Fuzzy Hash: 30e25ca606a908c3c77ad5bf51a2b4120e00b8f6cb6c01133260b5ce20f67392
Instruction Fuzzy Hash: 1D416E69E0BA0286FB64BF319561778AB90EF94B44FC74135CD0E066B5DF2CA843C761

Function 00007FF7A7441616 Relevance: 5.0, APIs: 3, Instructions: 548memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B9AF: _calloc_dbg.MSVCRT ref: 00007FF7A744BA32
Part of subcall function 00007FF7A744B9AF: abort.MSVCRT(?,?,00000000,?,00007FF7A7441638), ref: 00007FF7A744BA3F
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BABF

Part of subcall function 00007FF7A744B9AF: _realloc_dbg.MSVCRT ref: 00007FF7A744BA6A
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BADB

VirtualProtect.KERNEL32 ref: 00007FF7A7441D38
VirtualProtect.KERNEL32 ref: 00007FF7A7441D59
FlushInstructionCache.KERNEL32 ref: 00007FF7A7441D6E

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ProtectVirtual_malloc_dbg$CacheFlushInstruction_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 4203908447-0
Opcode ID: b801f07323f567c1f67f9b575f470bc806e416ca52103e225e01151822b5cc0d
Instruction ID: c17a832924477399efc257e380408bc0307215de0033afa34e6e6669779d9a70
Opcode Fuzzy Hash: b801f07323f567c1f67f9b575f470bc806e416ca52103e225e01151822b5cc0d
Instruction Fuzzy Hash: FE32D732A5E2D69AF721AF14D801A79FB92EB51B40FDAC031C649037A1DF7CE846D712

Function 00007FF7A74516E5 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A745175E
IsDebuggerPresent.KERNEL32 ref: 00007FF7A7451781
RaiseException.KERNEL32 ref: 00007FF7A74517A7

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ??3@DebuggerExceptionPresentRaise
String ID:
API String ID: 3279378595-0
Opcode ID: 2e72401c0cad45c492d3f28a0a3c7ec8f1773598b95bc1ceb0aaab6d12aa8799
Instruction ID: cf24c8956bb59c93ab0bd37378eff9d732c89b0f47669fe7c864d4c4ceb920ff
Opcode Fuzzy Hash: 2e72401c0cad45c492d3f28a0a3c7ec8f1773598b95bc1ceb0aaab6d12aa8799
Instruction Fuzzy Hash: CA218A25E0A61146FB51BF299450B79A7A09F847A4FCA4235DD5E473E0EF3CDC428760

Function 00007FF7A744239E Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B6E8: RtlCaptureContext.KERNEL32 ref: 00007FF7A744B777
Part of subcall function 00007FF7A744B6E8: RtlUnwindEx.KERNEL32 ref: 00007FF7A744B79C
Part of subcall function 00007FF7A744B6E8: abort.MSVCRT ref: 00007FF7A744B7A2

FindFirstFileW.KERNEL32 ref: 00007FF7A74423E3
FindClose.KERNEL32 ref: 00007FF7A74423F4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: f41b677438223da7a46e2798f1a31f3eece2fd216ba5b74784c056f71f3a44ef
Instruction ID: 80f11251e99a957fba661b341d1bd3cf6667e6bf5639710d0c73c050734e3851
Opcode Fuzzy Hash: f41b677438223da7a46e2798f1a31f3eece2fd216ba5b74784c056f71f3a44ef
Instruction Fuzzy Hash: 85F01C16E4F50392EE64BE71A41A37D91216F81BA4FD70330EC3E462F2DC6CA406A724

Function 00007FF7A74423AB Relevance: 3.0, APIs: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B6E8: RtlCaptureContext.KERNEL32 ref: 00007FF7A744B777
Part of subcall function 00007FF7A744B6E8: RtlUnwindEx.KERNEL32 ref: 00007FF7A744B79C
Part of subcall function 00007FF7A744B6E8: abort.MSVCRT ref: 00007FF7A744B7A2

FindFirstFileW.KERNEL32 ref: 00007FF7A74423E3
FindClose.KERNEL32 ref: 00007FF7A74423F4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: d2b7b5e4e4d4903b2067ac58cda3c73e49b602dad230a0c53b7a789532316b38
Instruction ID: 3c139620c5c6120ff9c677087e8b332c0ecee52c8f1f67837134aacf831a2679
Opcode Fuzzy Hash: d2b7b5e4e4d4903b2067ac58cda3c73e49b602dad230a0c53b7a789532316b38
Instruction Fuzzy Hash: 63E06D16E4F40282EA50BF71941A37D9120AF44BB4FD70330E83E862F2EC5C90069720

Function 00007FF7A74423B3 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B6E8: RtlCaptureContext.KERNEL32 ref: 00007FF7A744B777
Part of subcall function 00007FF7A744B6E8: RtlUnwindEx.KERNEL32 ref: 00007FF7A744B79C
Part of subcall function 00007FF7A744B6E8: abort.MSVCRT ref: 00007FF7A744B7A2

FindFirstFileW.KERNEL32 ref: 00007FF7A74423E3
FindClose.KERNEL32 ref: 00007FF7A74423F4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: 914610cf9d3d9227e65c187e472236fd9f93fddb216c463d2714c3a429159952
Instruction ID: 4cd186f48259bb599de883d061734979e13b8c80b4e6f10d4434c45ce8e80825
Opcode Fuzzy Hash: 914610cf9d3d9227e65c187e472236fd9f93fddb216c463d2714c3a429159952
Instruction Fuzzy Hash: 3BE06D12A4E00282EA50BB31941937D9210AB45B74FC60330E83E462F1DD5C90069720

Function 00007FF7A74423C0 Relevance: 3.0, APIs: 2, Instructions: 18fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744B6E8: RtlCaptureContext.KERNEL32 ref: 00007FF7A744B777
Part of subcall function 00007FF7A744B6E8: RtlUnwindEx.KERNEL32 ref: 00007FF7A744B79C
Part of subcall function 00007FF7A744B6E8: abort.MSVCRT ref: 00007FF7A744B7A2

FindFirstFileW.KERNEL32 ref: 00007FF7A74423E3
FindClose.KERNEL32 ref: 00007FF7A74423F4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Find$CaptureCloseContextFileFirstUnwindabort
String ID:
API String ID: 1173583122-0
Opcode ID: 8f603ed01b97c1f512cc208b8baf28061b46fecf35cb2b4958718e7a6b045037
Instruction ID: 08bc9ac2fecf22200f55e7ff06298a96a68a79469c235ab3594f1d927e526f24
Opcode Fuzzy Hash: 8f603ed01b97c1f512cc208b8baf28061b46fecf35cb2b4958718e7a6b045037
Instruction Fuzzy Hash: B8E08612B4B40286EF90BF35D8193789210AB55B74FC70330E93E863F1ED6C90068710

Function 00007FF7A7448792 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

std, xrefs: 00007FF7A744896E
string literal, xrefs: 00007FF7A7448894

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID: std$string literal
API String ID: 0-2980153874
Opcode ID: aa7718613de81c81ab0da101cb38be5f76b8bf14329ad2edd72083dfb1550644
Instruction ID: a285675ed14bed7ab05e361ca77236f01c124564cdce5d782ed7105c6a76292a
Opcode Fuzzy Hash: aa7718613de81c81ab0da101cb38be5f76b8bf14329ad2edd72083dfb1550644
Instruction Fuzzy Hash: 0071C652F0EA4642FA65BE255C03279D6899F41B94F8A8530DA1D473F5EE3CF843A360

Function 00007FF7A744202A Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A7441FF0: GetModuleFileNameA.KERNEL32 ref: 00007FF7A744200C

Part of subcall function 00007FF7A744B9AF: _calloc_dbg.MSVCRT ref: 00007FF7A744BA32
Part of subcall function 00007FF7A744B9AF: abort.MSVCRT(?,?,00000000,?,00007FF7A7441638), ref: 00007FF7A744BA3F
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BABF

Part of subcall function 00007FF7A744B9AF: _realloc_dbg.MSVCRT ref: 00007FF7A744BA6A
Part of subcall function 00007FF7A744B9AF: _malloc_dbg.MSVCRT ref: 00007FF7A744BADB

ShellExecuteA.SHELL32 ref: 00007FF7A7442379

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: _malloc_dbg$ExecuteFileModuleNameShell_calloc_dbg_realloc_dbgabort
String ID:
API String ID: 1988290971-0
Opcode ID: dc65c2f86ff53822ab6fa6e49b52be19be44138d922a814b3a7da31c45c91a0a
Instruction ID: 40f398050d5d3eb1b56e73780011689a068b0429fb6b259586e698cdc50c962e
Opcode Fuzzy Hash: dc65c2f86ff53822ab6fa6e49b52be19be44138d922a814b3a7da31c45c91a0a
Instruction Fuzzy Hash: FDB1C736A0E18297E721AF20D406779FBA1EB91B80FD6C031D60D472A1DF7CA947D725

Function 00007FF7A7502F90 Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00007FF7A7503044

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 528b05e9cc6b4df32d1c2766c75bc3ee61be69a5a132acc8aa064f40dc82e32b
Instruction ID: 76e43f47b24403718ee8e8cf8b5ecf4899d8432148e1fe679a92819d3c064843
Opcode Fuzzy Hash: 528b05e9cc6b4df32d1c2766c75bc3ee61be69a5a132acc8aa064f40dc82e32b
Instruction Fuzzy Hash: 9221F676A19B40CED750CFA9E88059D7BB4F38D798B101426EF8D93B28DB38D590CB10

Function 00007FF7A7503060 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00007FF7A75030DB

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 2e9e50bfab5740a14588598e2ab8d9cb19d3d38ff1179786d2990e1b39e353ad
Instruction ID: a756006c3c0fc2efc2c9014b60db79d8e05f6266fd7f7b0b284b26ec786a22f7
Opcode Fuzzy Hash: 2e9e50bfab5740a14588598e2ab8d9cb19d3d38ff1179786d2990e1b39e353ad
Instruction Fuzzy Hash: 9A11EF76A19B40DEE750CFA4E88059C7BB4F38C358B141126EF4DA3B28DB38D582CB50

Function 00007FF7A7451870 Relevance: 1.5, APIs: 1, Instructions: 14timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A7451879

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 06b714334ece55f816e9b8b0b34d539c0cb158430d8de723e4e09ab0daaa5613
Instruction ID: 465eb2f2fe8f0d3a989096285b82bd848db7f54b4d6bf4b241a77b72f8e12e8f
Opcode Fuzzy Hash: 06b714334ece55f816e9b8b0b34d539c0cb158430d8de723e4e09ab0daaa5613
Instruction Fuzzy Hash: 53D05EAAF0854487DB20DB10F445116B722EBD8399F848121EE4D46728DE3CD6678F00

Function 00007FF7A74481B2 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7535b4de21109a093e06d6470f75b173737e89990db753913e80a83cbdb06915
Instruction ID: 2d11b3149d437905218b337bc0a5c29990e86769cf779fef0aad686f468dbe05
Opcode Fuzzy Hash: 7535b4de21109a093e06d6470f75b173737e89990db753913e80a83cbdb06915
Instruction Fuzzy Hash: FFD18A51F0F64647FB64BE155853279D69AAF81B84FDB8031CA1D137E5DE3CE883A220

Function 00007FF7A7455FB0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d9710f2c56e218d2d3573632ab62a7169e96cd0065a10416511275e92a0c56
Instruction ID: e1bdc48b38443bfb4114096bb3980452dd35a36d8cb425dcc7597cafe0f0f2d2
Opcode Fuzzy Hash: 56d9710f2c56e218d2d3573632ab62a7169e96cd0065a10416511275e92a0c56
Instruction Fuzzy Hash: 14B1A722A0E78181FA61AF15E01037EE791FB85B84FC54135EE8D477A9DF3CE8468752

Function 00007FF7A74793D0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea88672dd1ffb5430322d8e6cb9690b4efafaa478607b106da9101461615f464
Instruction ID: 605d38960977daba03ea2ccbcb2befb93d70d99c9c6ea567fdc55489e760e7a0
Opcode Fuzzy Hash: ea88672dd1ffb5430322d8e6cb9690b4efafaa478607b106da9101461615f464
Instruction Fuzzy Hash: 9481C5F3A0EF9589EB149F198085368E3A0F714B95FA25231CF5E576B1CA2AD4E3C710

Function 00007FF7A76B9DA8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44c2f10f09bfc9bcf34c4302529c4037be47bb10c65892144451d2728afb84c
Instruction ID: b599d1eaeefb7f77b63aa3c3573666d1fa1b77433a2cbe42de9075c26d9f2736
Opcode Fuzzy Hash: d44c2f10f09bfc9bcf34c4302529c4037be47bb10c65892144451d2728afb84c
Instruction Fuzzy Hash: 27F0F95BA8FBC18BF7679A6408351586F619BE39057CA90B7C3C4872E3D44E180AC366

Function 00007FF7A74706B0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction ID: e8544e1f3ef89495dcc7e3576f10e51f519670ab7c23515600a6e389cb2d4ea1
Opcode Fuzzy Hash: 5338b2410c88fadbddd5476d659243740ef45eec0dfff78edda5a85c0f4bb367
Instruction Fuzzy Hash: 01D0C987F4FBC385F15296A8093D1199ED19F92924F5EC27ACE680B2F2D90A6C035761

Function 00007FF7A74566F0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00007FF7A74567EC
fputs.MSVCRT ref: 00007FF7A745680F
fputs.MSVCRT ref: 00007FF7A7456825
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A7456834
fputs.MSVCRT ref: 00007FF7A745684F
abort.MSVCRT ref: 00007FF7A7456854
fputs.MSVCRT ref: 00007FF7A7456883
fputs.MSVCRT ref: 00007FF7A7456895
_fputchar.MSVCRT ref: 00007FF7A74568A9

Strings

what(): , xrefs: 00007FF7A745687C
terminate called recursively, xrefs: 00007FF7A745678E
terminate called without an active exception, xrefs: 00007FF7A7456845
terminate called after throwing an instance of ', xrefs: 00007FF7A74567E2
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 00007FF7A7456702

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fputs$??3@_fputcharabort
String ID: what(): $not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 708758616-2619835231
Opcode ID: 03df02dc98cc8839d30060f0d2be1441028e1b2bb4f5cd27b03a2b79452e0f9c
Instruction ID: e3c8fe2c7d8f0a4d9e5f5b8553405be5cece0e05bf2d31355adb0e8936412c80
Opcode Fuzzy Hash: 03df02dc98cc8839d30060f0d2be1441028e1b2bb4f5cd27b03a2b79452e0f9c
Instruction Fuzzy Hash: 2B41B150B0B14696FB20BF6194163B9E241AF94BC4FC58139DD5D077F6EE2CA5038332

Function 00007FF7A744B4C5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000060,basic_string::_M_create,?,?,?,?,?,00007FF7A7460585), ref: 00007FF7A744B645
RtlUnwindEx.KERNEL32 ref: 00007FF7A744B68C

Strings

CCG", xrefs: 00007FF7A744B560
CCG!, xrefs: 00007FF7A744B509
CCG , xrefs: 00007FF7A744B594
CCG!, xrefs: 00007FF7A744B5EA
basic_string::_M_create, xrefs: 00007FF7A744B4CD

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Unwindabort
String ID: CCG $CCG!$CCG!$CCG"$basic_string::_M_create
API String ID: 2187188232-955483099
Opcode ID: 5c11fb32fddcd6020f564f55c892b7a8362662d2fcca294fb10a82fd64d06b88
Instruction ID: 0b6c299b6f4c357f40584ea6261c3d58b377148fd6788fb6b7db64dbaf4aad5c
Opcode Fuzzy Hash: 5c11fb32fddcd6020f564f55c892b7a8362662d2fcca294fb10a82fd64d06b88
Instruction Fuzzy Hash: 78516172609B4082D7709F49E4812ADB3A4F788B98F614136EF8D47B68DF3DD892C701

Function 00007FF7A744A9F4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7A744AA9D
VirtualProtect.KERNEL32 ref: 00007FF7A744AB05
GetLastError.KERNEL32 ref: 00007FF7A744AB0F

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF7A744A9F9
VirtualProtect failed with code 0x%x, xrefs: 00007FF7A744AB15
Address %p has no image-section, xrefs: 00007FF7A744AA55
Mingw-w64 runtime failure:, xrefs: 00007FF7A744A9BB
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7A744AAB2

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: 45274ac9ef603680abd18d8f8fecf1d52b65f8dbcdd6c6544261d3d9f28096a7
Instruction ID: cc8e6ed20027afc2e7bd82dba993e73e065e2184557e5e108135d5bd74bac7bd
Opcode Fuzzy Hash: 45274ac9ef603680abd18d8f8fecf1d52b65f8dbcdd6c6544261d3d9f28096a7
Instruction Fuzzy Hash: 2B318272B0B74296EB00BF11E845169A7A1BB84B94F868535DE4C47374DE3CE487C750

Function 00007FF7A7450E48 Relevance: 13.6, APIs: 9, Instructions: 115threadinjectionsynchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 00007FF7A7450E81

Part of subcall function 00007FF7A744F718: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F650

SetEvent.KERNEL32 ref: 00007FF7A7450EC5
SuspendThread.KERNEL32 ref: 00007FF7A7450F39
WaitForSingleObject.KERNEL32 ref: 00007FF7A7450F45
GetThreadContext.KERNEL32 ref: 00007FF7A7450F5D
SetThreadContext.KERNEL32 ref: 00007FF7A7450F79
SetEvent.KERNEL32 ref: 00007FF7A7450F9F
ResumeThread.KERNEL32 ref: 00007FF7A7450FB1
SetEvent.KERNEL32 ref: 00007FF7A7450FDA

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Thread$Event$Context$CurrentHandleInformationObjectResumeSingleSuspendWait
String ID:
API String ID: 47337953-0
Opcode ID: 27f02c62d9415308b88906aaa5bb19e0af21946852c98ca8fe3fb38fe1ce8cc0
Instruction ID: 4412bb330ec6fc7f7f0c13ab413e406ed99da57271022a15a60defa7fb9dccc2
Opcode Fuzzy Hash: 27f02c62d9415308b88906aaa5bb19e0af21946852c98ca8fe3fb38fe1ce8cc0
Instruction Fuzzy Hash: 4A41B96AA0B54286FB65BF31945027CAF60AF45B74FC60230DD5D462F5DF2CD8478720

Function 00007FF7A7452A5E Relevance: 10.6, APIs: 7, Instructions: 99COMMON

Download Yara Rule

APIs

RtlTryAcquirePebLock.NTDLL ref: 00007FF7A7452AF3
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452B4B
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452B81
RtlDeleteCriticalSection.NTDLL ref: 00007FF7A7452B8E
RtlDeleteCriticalSection.NTDLL ref: 00007FF7A7452B93
RtlDeleteCriticalSection.NTDLL ref: 00007FF7A7452B99
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A7452B9E

Part of subcall function 00007FF7A74523F0: RtlAcquirePebLock.NTDLL ref: 00007FF7A7452408
Part of subcall function 00007FF7A74523F0: RtlLeaveCriticalSection.NTDLL ref: 00007FF7A745242C

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CriticalSection$DeleteLeave$AcquireLock$??3@
String ID:
API String ID: 224785017-0
Opcode ID: 1ff8e04dd4b8a04b36bf890e0e3cb9745a107817c28e865f2f861b65b7d8fe62
Instruction ID: aa14cfb240d275ebf33c23cf927e6984b239e445da0b187d587ed4ef87bc3502
Opcode Fuzzy Hash: 1ff8e04dd4b8a04b36bf890e0e3cb9745a107817c28e865f2f861b65b7d8fe62
Instruction Fuzzy Hash: 0831C161B0A64256E664BF26B9102BAA350AF45BA4FC14232DE6E477F1CE3CE8439314

Function 00007FF7A745262F Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

_calloc_dbg.MSVCRT ref: 00007FF7A7452664
CreateSemaphoreA.KERNEL32 ref: 00007FF7A74526A3
CreateSemaphoreA.KERNEL32 ref: 00007FF7A74526B9
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A74526EE
RtlInitializeCriticalSection.NTDLL ref: 00007FF7A745270A
RtlInitializeCriticalSection.NTDLL ref: 00007FF7A7452710
RtlInitializeCriticalSection.NTDLL ref: 00007FF7A7452716

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$??3@_calloc_dbg
String ID:
API String ID: 278339251-0
Opcode ID: bf98f47723efefa634e8925d1203b70c7d3bd4a0b706e5b27215a6e2f3ceb217
Instruction ID: d52753cf0a823881b82260e84ecab76877c76e0a6dd9fdb9aed97fe75aed85c5
Opcode Fuzzy Hash: bf98f47723efefa634e8925d1203b70c7d3bd4a0b706e5b27215a6e2f3ceb217
Instruction Fuzzy Hash: 9E21E57170764286FB68EF35E95077A6291EF50B94FCA8136CE5D8B3A4DE3C9842C720

Function 00007FF7A7451B22 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A7451B85
exit.MSVCRT ref: 00007FF7A7451B8F

Strings

(, xrefs: 00007FF7A7451B65
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00007FF7A7451B74
Assertion failed: (%s), file %s, line %d, xrefs: 00007FF7A7451B7E
/mingw-w64-v11.0.0/mingw-w64-libraries/winpthreads/src/rwlock.c, xrefs: 00007FF7A7451B6D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: exitfprintf
String ID: ($(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$/mingw-w64-v11.0.0/mingw-w64-libraries/winpthreads/src/rwlock.c$Assertion failed: (%s), file %s, line %d
API String ID: 4243785698-3600795083
Opcode ID: 07f5d123ec4a99d66df522e411186e11b47df596a6235e599fcc669a190e2e7c
Instruction ID: d7912bb7a0b7f315adb13caef6e27d6ceeb0f2a0be2b1e81f361e38fb060d743
Opcode Fuzzy Hash: 07f5d123ec4a99d66df522e411186e11b47df596a6235e599fcc669a190e2e7c
Instruction Fuzzy Hash: F5018466B0A64592F700AF24E9152B8E711AB44B94FC68036DD0D073B6DFBDDC47C362

Function 00007FF7A7449C39 Relevance: 10.2, APIs: 8, Instructions: 250stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF7A7449C58
strcmp.MSVCRT ref: 00007FF7A7449D7E
strcmp.MSVCRT ref: 00007FF7A7449DAB
strcmp.MSVCRT ref: 00007FF7A7449DD0
strcmp.MSVCRT ref: 00007FF7A7449DE3
strcmp.MSVCRT ref: 00007FF7A7449E86
strcmp.MSVCRT ref: 00007FF7A7449E99
strcmp.MSVCRT ref: 00007FF7A7449FB4

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: strcmp
String ID:
API String ID: 1004003707-0
Opcode ID: 18849e5a546d5317a71dd11980ccb38660b53e008e329bdc2d272acacbb80f03
Instruction ID: 12407b2f19819e1fb47bda769cb44688599e6013b0fa2ec9bafe4964a940838b
Opcode Fuzzy Hash: 18849e5a546d5317a71dd11980ccb38660b53e008e329bdc2d272acacbb80f03
Instruction Fuzzy Hash: F8919051E0E28347FA64BE2658472B9D2854F42B82FDAC035D94E077F6DE2CE943B321

Function 00007FF7A744F718 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744F609: _malloc_dbg.MSVCRT ref: 00007FF7A744F5B1
Part of subcall function 00007FF7A744F609: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744F5F7

GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F650
GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F668

Strings

basic_string::_M_create, xrefs: 00007FF7A744F620

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CurrentThread$??3@_malloc_dbg
String ID: basic_string::_M_create
API String ID: 581562805-3122258987
Opcode ID: bc7a7ee65b1ecb8bcbc3017fe0d6439e0a09fe84b4c09e96669dfaffec9f4652
Instruction ID: 89d2fdc2be4d7187cf4a14134252f37a82748d79d7bde8c52e8cd5c87e3aad65
Opcode Fuzzy Hash: bc7a7ee65b1ecb8bcbc3017fe0d6439e0a09fe84b4c09e96669dfaffec9f4652
Instruction Fuzzy Hash: 86319121E0B2039BFB656E649806339A591BF44755F9E8035DD0D862F4EE3CE883E771

Function 00007FF7A744FD81 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7A744FDC1
_ultoa.MSVCRT ref: 00007FF7A744FDD4
OutputDebugStringA.KERNEL32 ref: 00007FF7A744FE0B
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7A744FE11

Strings

Error cleaning up spin_keys for thread , xrefs: 00007FF7A744FDAC

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CurrentDebugOutputStringThread_ultoaabort
String ID: Error cleaning up spin_keys for thread
API String ID: 4191895893-2906507043
Opcode ID: dacbd3911e222d57cacfaeadd5447095d891d6e8f2abf5efbcf0ed51b3a84f37
Instruction ID: 3680b56bc36ae66b9e8e6a1586e1552408a2459c316626346324688afe76f6cc
Opcode Fuzzy Hash: dacbd3911e222d57cacfaeadd5447095d891d6e8f2abf5efbcf0ed51b3a84f37
Instruction Fuzzy Hash: E5110852B0F60282FF21AB24E51437A9AA1DB45765FD90330CA6D4A3F5CE2CD8478725

Function 00007FF7A7452783 Relevance: 7.7, APIs: 5, Instructions: 181synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7A74527D5
ResetEvent.KERNEL32 ref: 00007FF7A7452846
WaitForSingleObject.KERNEL32 ref: 00007FF7A745287F
WaitForSingleObject.KERNEL32 ref: 00007FF7A745292F
WaitForSingleObject.KERNEL32 ref: 00007FF7A74529A7

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ObjectSingleWait$EventReset
String ID:
API String ID: 466820088-0
Opcode ID: c1c73f9e16f899d95e94b6f4e59d718316d90df37484412a4e23620487738ba7
Instruction ID: 2dc54a7a7ac29dd029d70dee103e28c40ba55d489d8a7daae16a6a4b545f22d7
Opcode Fuzzy Hash: c1c73f9e16f899d95e94b6f4e59d718316d90df37484412a4e23620487738ba7
Instruction Fuzzy Hash: A3517B92F0E60342FAB47DA6848537AC6809F96700FDB0133DD4EA66F2DD5CAC47913A

Function 00007FF7A745087B Relevance: 7.6, APIs: 5, Instructions: 96sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744F718: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F650

TlsSetValue.KERNEL32 ref: 00007FF7A74508B9
GetCurrentThreadId.KERNEL32 ref: 00007FF7A74508BF

Part of subcall function 00007FF7A744F76F: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F79A

TlsSetValue.KERNEL32 ref: 00007FF7A74509AB
Sleep.KERNEL32 ref: 00007FF7A74509EE
_endthreadex.MSVCRT ref: 00007FF7A74509F8

Part of subcall function 00007FF7A744F76F: SetEvent.KERNEL32 ref: 00007FF7A744F7CF

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CurrentThread$Value$EventSleep_endthreadex
String ID:
API String ID: 197234052-0
Opcode ID: 6baeca634922873dd4ceb8e89880999fe2e386df8df25a18b82bf994a4dc4886
Instruction ID: 803b10a6b392d695047a081ec8551f70fcf325a316b6920bc30747c2e84a32e5
Opcode Fuzzy Hash: 6baeca634922873dd4ceb8e89880999fe2e386df8df25a18b82bf994a4dc4886
Instruction Fuzzy Hash: 5B41FA65A0A74286FB40FF22D8511B9A760FB85B94FCA4531E91E473B5DE3CE846D320

Function 00007FF7A74523F0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF7A7452408
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A745242C
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A745243F

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CriticalLeaveSection$AcquireLock
String ID:
API String ID: 602743569-0
Opcode ID: ce9b49317acdec01005a075105c737f91ae751c963191ea0a905082830937bc6
Instruction ID: 59d33144ba1ca5d65c44d1de4e06cabe7e206db50a87ec3add0820f89e6a7a17
Opcode Fuzzy Hash: ce9b49317acdec01005a075105c737f91ae751c963191ea0a905082830937bc6
Instruction Fuzzy Hash: 8101A722B0B60246E714AF56BD91739D2516F9AB91FC58130DD4E86760DD2CA8838714

Function 00007FF7A745346E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF7A745347E
OpenProcess.KERNEL32 ref: 00007FF7A74534A8
GetLastError.KERNEL32 ref: 00007FF7A74534B6
_errno.MSVCRT ref: 00007FF7A74534C4
_errno.MSVCRT ref: 00007FF7A74534DF

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: _errno$ErrorLastOpenProcess
String ID:
API String ID: 90818072-0
Opcode ID: 80ba77a71dfa169f0255d3c17314ada1875425b4c48a71b41787d6493320c567
Instruction ID: 3f1b6220f12aed7599c36588583318d6898a7e2c15192e8e728aca820632f9fa
Opcode Fuzzy Hash: 80ba77a71dfa169f0255d3c17314ada1875425b4c48a71b41787d6493320c567
Instruction Fuzzy Hash: BE017120B5B60696FB567FA1AC84138A594AF55B59FC74534CD0E4A3B0CE3C3C4B9B31

Function 00007FF7A744AB3B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF7A746F078,00000000,?,?,?,00007FF7A746F070,00007FF7A7441208), ref: 00007FF7A744AD92

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7A744AD2D
Unknown pseudo relocation protocol version %d., xrefs: 00007FF7A744AC32
Unknown pseudo relocation bit size %d., xrefs: 00007FF7A744ACBB

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: e25a082c85769d3cbbc96d63a987aef09790b4ab5927b19e99f6cde364bfa7fd
Instruction ID: 57985c86cfd6ab6510af4e76284844801bbd4779f5da4ae3c0253f227fe48f45
Opcode Fuzzy Hash: e25a082c85769d3cbbc96d63a987aef09790b4ab5927b19e99f6cde364bfa7fd
Instruction Fuzzy Hash: FF6191A1F0A74287FB64AF11D84227AA7A1AB44794F868131DA1C077F9DF3CE5C2D721

Function 00007FF7A7450171 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7A745019E
GetCurrentThreadId.KERNEL32 ref: 00007FF7A74501DB

Strings

T%p %d V=%0X H=%p %s, xrefs: 00007FF7A74501F5
T%p %d %s, xrefs: 00007FF7A74501A5

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CurrentThread
String ID: T%p %d %s$T%p %d V=%0X H=%p %s
API String ID: 2882836952-2059990036
Opcode ID: 8413c510d5cdcff8d95115becfb6cf38646dd406880fb16d7e77bc95e3aa644a
Instruction ID: bb86ceee8198069c03179e5c3093974ea7ecbf88d4ab6c1b2447b36e4e739977
Opcode Fuzzy Hash: 8413c510d5cdcff8d95115becfb6cf38646dd406880fb16d7e77bc95e3aa644a
Instruction Fuzzy Hash: 2F117076A0E75681EA10AF62F840469FB61FB947D4F858032EE5E03B74DE3CE842CB11

Function 00007FF7A74524B3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A74524F4
fprintf.MSVCRT ref: 00007FF7A7452523

Strings

C%p %d V=%0X w=%ld %s, xrefs: 00007FF7A745250A
C%p %d %s, xrefs: 00007FF7A74524E3

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: C%p %d %s$C%p %d V=%0X w=%ld %s
API String ID: 383729395-884133013
Opcode ID: 363bebb7f777ff019ce84671e4d0ec8035539763ecc47460501ae2349624b095
Instruction ID: 7ecdec151df4be99f9394cd96040bb2af0ff4a4aeaf0a99bf98168e0abe1d88f
Opcode Fuzzy Hash: 363bebb7f777ff019ce84671e4d0ec8035539763ecc47460501ae2349624b095
Instruction Fuzzy Hash: 5B019EB6A0AB0585E720AF26F840568B760BB88BC8F869036DD4C43774DF3CE443C711

Function 00007FF7A744A661 Relevance: 6.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744A6C3
strlen.MSVCRT ref: 00007FF7A744A711
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744A72C
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744A736

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ??3@$strlen
String ID:
API String ID: 4288758904-0
Opcode ID: 77d83bdf5125a55431555ab4afc99044e0b2693a106f80fbabe8acf31025ff09
Instruction ID: b29bcd7b3aab8aea0a268f21b07374aa0cc0d90838605416cd1fccb32afa3f96
Opcode Fuzzy Hash: 77d83bdf5125a55431555ab4afc99044e0b2693a106f80fbabe8acf31025ff09
Instruction Fuzzy Hash: 0D21B462B0B74257FBB5BE11650227AD1907F547A4F9A4130EE8E06BE5DE2CE4C3A720

Function 00007FF7A7452CB0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF7A7452CF2
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452D46
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452D67
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452D79

Part of subcall function 00007FF7A74529DB: RtlAcquirePebLock.NTDLL ref: 00007FF7A7452A0A
Part of subcall function 00007FF7A74529DB: RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452A1F
Part of subcall function 00007FF7A74529DB: RtlAcquirePebLock.NTDLL ref: 00007FF7A7452A3D
Part of subcall function 00007FF7A74529DB: RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452A4A

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CriticalLeaveSection$AcquireLock
String ID:
API String ID: 602743569-0
Opcode ID: e43043ebd284bbac4e4832c21c9bbf8c11aebde8df7d4da4865f1934f31c12e3
Instruction ID: c2092e433abe537fa00416c8331ad8667a0c3437db21b7aee8a68f4bc1932062
Opcode Fuzzy Hash: e43043ebd284bbac4e4832c21c9bbf8c11aebde8df7d4da4865f1934f31c12e3
Instruction Fuzzy Hash: 833143B3B0A6418AEB64DE359840679A390EB44BA4FC94133DD2D972E4DE38EC46C664

Function 00007FF7A744F190 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7A744F20B
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF7A744F226
MultiByteToWideChar.KERNEL32 ref: 00007FF7A744F27A
_errno.MSVCRT ref: 00007FF7A744F284

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: f998819e1c94d35a5e6b629fcb1f20398e65272cd3df907615ba179711f83a59
Instruction ID: 8414b7ca00dcdd22bf23bc7ca5ba16416c52fdcfdd64b93cf3c5a4a00f608bdc
Opcode Fuzzy Hash: f998819e1c94d35a5e6b629fcb1f20398e65272cd3df907615ba179711f83a59
Instruction Fuzzy Hash: E531F876A0E6824BF3705F21A40177AAA60BB95788F8D8131DA88477E5CF3ED4429B20

Function 00007FF7A745053D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7A7450552

Part of subcall function 00007FF7A744FEBF: TlsGetValue.KERNEL32 ref: 00007FF7A744FED1
Part of subcall function 00007FF7A744FEBF: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744FF09
Part of subcall function 00007FF7A744FEBF: CreateEventA.KERNEL32 ref: 00007FF7A744FF1F
Part of subcall function 00007FF7A744FEBF: GetCurrentThread.KERNEL32 ref: 00007FF7A744FF56
Part of subcall function 00007FF7A744FEBF: DuplicateHandle.KERNEL32 ref: 00007FF7A744FF85
Part of subcall function 00007FF7A744FEBF: abort.MSVCRT ref: 00007FF7A744FF8F
Part of subcall function 00007FF7A744FEBF: GetThreadPriority.KERNEL32 ref: 00007FF7A744FF98
Part of subcall function 00007FF7A744FEBF: TlsSetValue.KERNEL32 ref: 00007FF7A744FFC1

_realloc_dbg.MSVCRT ref: 00007FF7A7450587
_realloc_dbg.MSVCRT ref: 00007FF7A745059B
SetLastError.KERNEL32 ref: 00007FF7A7450605

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Thread$CurrentErrorLastValue_realloc_dbg$CreateDuplicateEventHandlePriorityabort
String ID:
API String ID: 276713024-0
Opcode ID: 35d8b904a353473470a72823a59e0bb755945ea002d97c9797830bf140ee0540
Instruction ID: 19239eec2d02a5818d0274b1da35096d3bca5213b8543e196c1db642179afed6
Opcode Fuzzy Hash: 35d8b904a353473470a72823a59e0bb755945ea002d97c9797830bf140ee0540
Instruction Fuzzy Hash: 7D21C2727166859ADB08EF39A45426CA792FB48BD4FC64135CE0E47365EE3CD882C310

Function 00007FF7A7452BDE Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF7A7452BF5
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452C4B
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452C71
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452C81

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: CriticalLeaveSection$AcquireLock
String ID:
API String ID: 602743569-0
Opcode ID: a7c7ee627f41c0ddbc9b5bfbd996a08413fa7091e63f250ce32d91d8e6cf3616
Instruction ID: 2072d999607e360eed76cab2e125553b020dad35c4d55cd03a90afb0ca27925c
Opcode Fuzzy Hash: a7c7ee627f41c0ddbc9b5bfbd996a08413fa7091e63f250ce32d91d8e6cf3616
Instruction Fuzzy Hash: E0215372A096428AE751DF35D14077DB390FB85B58FD98132DE0D87299DF38E882C764

Function 00007FF7A7450B4F Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744FEBF: TlsGetValue.KERNEL32 ref: 00007FF7A744FED1
Part of subcall function 00007FF7A744FEBF: GetCurrentThreadId.KERNEL32 ref: 00007FF7A744FF09
Part of subcall function 00007FF7A744FEBF: CreateEventA.KERNEL32 ref: 00007FF7A744FF1F
Part of subcall function 00007FF7A744FEBF: GetCurrentThread.KERNEL32 ref: 00007FF7A744FF56
Part of subcall function 00007FF7A744FEBF: DuplicateHandle.KERNEL32 ref: 00007FF7A744FF85
Part of subcall function 00007FF7A744FEBF: abort.MSVCRT ref: 00007FF7A744FF8F
Part of subcall function 00007FF7A744FEBF: GetThreadPriority.KERNEL32 ref: 00007FF7A744FF98
Part of subcall function 00007FF7A744FEBF: TlsSetValue.KERNEL32 ref: 00007FF7A744FFC1

longjmp.MSVCRT ref: 00007FF7A7450B82
TlsGetValue.KERNEL32 ref: 00007FF7A7450B8E
TlsSetValue.KERNEL32 ref: 00007FF7A7450C0D
_endthreadex.MSVCRT ref: 00007FF7A7450C15

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: Value$Thread$Current$CreateDuplicateEventHandlePriority_endthreadexabortlongjmp
String ID:
API String ID: 843818611-0
Opcode ID: 4144d13ba3f8fa4985f916005d52704b2626d94dd0760b50547f56c1cf8d60be
Instruction ID: 8960614d2d7002ad743222a40a6fba7d3bce33a27815558f5d0c759f52bbfefd
Opcode Fuzzy Hash: 4144d13ba3f8fa4985f916005d52704b2626d94dd0760b50547f56c1cf8d60be
Instruction Fuzzy Hash: 8421306590B64282EB65BF71D454338BAA1EF88B54F8A8035CE0D0B3B0DF3CA846C760

Function 00007FF7A74529DB Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 00007FF7A7452A0A
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452A1F
RtlAcquirePebLock.NTDLL ref: 00007FF7A7452A3D
RtlLeaveCriticalSection.NTDLL ref: 00007FF7A7452A4A

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: AcquireCriticalLeaveLockSection
String ID:
API String ID: 1584331419-0
Opcode ID: 11cf4df7c76df1f7af7f59934eb865f030e08f678413375f0af960a6a42e348a
Instruction ID: adc3879321ac321caa96382aae116be954da96d50a309f4a8876e8b75c8658bf
Opcode Fuzzy Hash: 11cf4df7c76df1f7af7f59934eb865f030e08f678413375f0af960a6a42e348a
Instruction Fuzzy Hash: D101D673B076518AD616DF17BC0052AA750FB98BD0F854132EE0947761CE3CDC528BC0

Function 00007FF7A744ADF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF7A744AEB6
signal.MSVCRT ref: 00007FF7A744AECB

Strings

CCG , xrefs: 00007FF7A744AE16

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 3ffd34e54c127d4a93b65e2eb8953f0d0c3a7b03006955fc460bbb12d766246a
Instruction ID: cd5cf3b39ea4f1920ec3b8ce2b5c37ad379ebeac835f9428ee88f6baa4bed508
Opcode Fuzzy Hash: 3ffd34e54c127d4a93b65e2eb8953f0d0c3a7b03006955fc460bbb12d766246a
Instruction Fuzzy Hash: 1F2180A6F4F70243FB647D50844237AE1C19F55364FEB8936C91D822F1DE2DA8C36229

Function 00007FF7A744FC12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744FC7C
fprintf.MSVCRT ref: 00007FF7A744FC9B

Strings

%p not found?!?!, xrefs: 00007FF7A744FC91

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ??3@fprintf
String ID: %p not found?!?!
API String ID: 4236183796-11085004
Opcode ID: 8cdc897e61e294d50c0e53b30f369981baf1cb99e2050b053c28a36e01660210
Instruction ID: d96a240b38bf4ff9fa328d0e590d500db42b6917c90727d2f7db8e4dacc76521
Opcode Fuzzy Hash: 8cdc897e61e294d50c0e53b30f369981baf1cb99e2050b053c28a36e01660210
Instruction Fuzzy Hash: E4115E61E0BA0692FB35BF55A4121789290BF58BD4FCA5835CD1D063B5EF2CA883A370

Function 00007FF7A7451BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00007FF7A7451C2F

Strings

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 00007FF7A7451C1F
RWL%p %d %s, xrefs: 00007FF7A7451BE0

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: printf
String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
API String ID: 3524737521-1971217749
Opcode ID: b1bc1984cc0dc195373680ff09ea0f24bc5ca7f46f2a323e45553ef56f7cbc10
Instruction ID: 464cd26e704846b7ee19439b0bd2c0b503290b0a5a3b4dcb5df0e3fb759c2aa0
Opcode Fuzzy Hash: b1bc1984cc0dc195373680ff09ea0f24bc5ca7f46f2a323e45553ef56f7cbc10
Instruction Fuzzy Hash: 54019273B0A50586EB21AF55F44056AB7A0F758BD4F85C035EE4D43B64DB3DD882CB00

Function 00007FF7A744F76F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7A744F609: _malloc_dbg.MSVCRT ref: 00007FF7A744F5B1
Part of subcall function 00007FF7A744F609: ??3@YAXPEAX@Z.MSVCRT ref: 00007FF7A744F5F7

GetCurrentThreadId.KERNEL32 ref: 00007FF7A744F79A
SetEvent.KERNEL32 ref: 00007FF7A744F7CF

Strings

basic_string::_M_create, xrefs: 00007FF7A744F76F

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: ??3@CurrentEventThread_malloc_dbg
String ID: basic_string::_M_create
API String ID: 3602570239-3122258987
Opcode ID: a51f37c2005890dbe744ece342cc84c1bccea1778b5eb3b3c09acc112c83829a
Instruction ID: 863752e8a37b1539c83d5ed25533081610eb53cdc148b949371807b61bcac07e
Opcode Fuzzy Hash: a51f37c2005890dbe744ece342cc84c1bccea1778b5eb3b3c09acc112c83829a
Instruction Fuzzy Hash: 96016232A171018BFB65AF35D801365A6D0EB04B18F9E8531E918C72E8EE2CD882D761

Function 00007FF7A744A8A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Unknown error, xrefs: 00007FF7A744A8B7
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: bc54f14b6f1e064d76f3f6fdff09fad391532c2aa13ccadd92f6bec4456298a9
Instruction ID: 51fc68ebc21d040ee604d5d30a9cb5a32351f27a7a50b2c6edd294a34b8a505b
Opcode Fuzzy Hash: bc54f14b6f1e064d76f3f6fdff09fad391532c2aa13ccadd92f6bec4456298a9
Instruction Fuzzy Hash: 58117362909E84C2D3119F1CE4413EAB3B0FFAA759F915726EBC826624DF3AD153C700

Function 00007FF7A744A8E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF7A744A8E9
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 886ae4c81da4b56329d96e924009fcc8e8aecf891fb9769fbff69d503ffb97d2
Instruction ID: 5b51a8b2f9bbcb2e79dd3aa372f95a6e7a988ea8208b71e60f0a6562174eabd4
Opcode Fuzzy Hash: 886ae4c81da4b56329d96e924009fcc8e8aecf891fb9769fbff69d503ffb97d2
Instruction Fuzzy Hash: D0F01D66809F8482D2119F2CE4012ABB370FF9E789F615726EFC926524DF2DD5439B10

Function 00007FF7A744A8F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF7A744A8F2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 975ced0795814e3260122893c874e81c544344f54141e5e88e378f522a447fad
Instruction ID: b917c15a57b63e899709c5768b0acd655ddac8ce889288881930c7065378263a
Opcode Fuzzy Hash: 975ced0795814e3260122893c874e81c544344f54141e5e88e378f522a447fad
Instruction Fuzzy Hash: D6F01D66809F8482D2119F1CE4012ABB370FF9E789FA15726EFC926564DF2DD5439B10

Function 00007FF7A744A8D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Argument domain error (DOMAIN), xrefs: 00007FF7A744A8D7
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 63446f2e33afa28456cbbd0f67c1009258ab652de5a3f07ac3cad71ec56a8f21
Instruction ID: a6045cf65257923e6ab3f1065310fa5b3fcc25303114d111beb9e5b574f8bafa
Opcode Fuzzy Hash: 63446f2e33afa28456cbbd0f67c1009258ab652de5a3f07ac3cad71ec56a8f21
Instruction Fuzzy Hash: 01F01D66809F8482D2119F1CE4012ABB370FF9E789F615726EFC926568DF2DD5439B10

Function 00007FF7A744A8E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF7A744A8E0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 5e358847d3dac0a26045cfffe352c68a52e63f66b2906fc804fcbd336f738b52
Instruction ID: 60f3a9f3f03f4dad531e10939fd90f109b954fff011151f7d598a17624a54a08
Opcode Fuzzy Hash: 5e358847d3dac0a26045cfffe352c68a52e63f66b2906fc804fcbd336f738b52
Instruction Fuzzy Hash: 9EF01D66809F8482D2119F1CE4012ABB370FF9E789F615726EFC926524DF2DD5439B10

Function 00007FF7A744A8FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF7A744A8FB
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 7e57657d9f93e0cfddf5bb36a2151157289811cdec9520688d657ce15531e64c
Instruction ID: 0e2347b8629087cf8b679bc003a47fce9356e9ce3915a9eda410c0f09305bdf4
Opcode Fuzzy Hash: 7e57657d9f93e0cfddf5bb36a2151157289811cdec9520688d657ce15531e64c
Instruction Fuzzy Hash: 17F01D66809F8482D211DF1CE4012ABB370FF9E789F615726EFC926524DF2DD5479B10

Function 00007FF7A744A904 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7A744A95A

Strings

Argument singularity (SIGN), xrefs: 00007FF7A744A904
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7A744A94D

Memory Dump Source

Source File: 00000000.00000002.2023284224.00007FF7A7441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7A7440000, based on PE: true

Associated: 00000000.00000002.2023271220.00007FF7A7440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023303220.00007FF7A7462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A7464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023314833.00007FF7A746C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023339330.00007FF7A746F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023350906.00007FF7A7474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7475000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A77FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7828000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7851000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7954000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7D2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023362697.00007FF7A7FF3000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7a7440000_8xfH5IUIWU.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 13b8e93ce3fd3b2efe3cb277abf4edb8425643be30d24c23b23e1728a30e4db7
Instruction ID: 2b2123534e7ca0b7c3454134e5ef1cf6c163ba0f85f31d835232642e55d80b8c
Opcode Fuzzy Hash: 13b8e93ce3fd3b2efe3cb277abf4edb8425643be30d24c23b23e1728a30e4db7
Instruction Fuzzy Hash: 41F03166809F8482D211DF1CE4002ABB370FF9E789F615326EFC826624DF3DD1428710

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8xfH5IUIWU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 8xfH5IUIWU.exePID: 2124, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: 8xfH5IUIWU.exePID: 2124, Parent PID: 1028COMMON

Execution Graph

Windows Analysis Report
8xfH5IUIWU.exe

Function 00007FF7A74450D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 342
memoryinjectionprocessCOMMON

Function 00007FF7A7441131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Function 00007FF7A7503300 Relevance: 1.6, APIs: 1, Instructions: 56
filenativeCOMMON

Function 00007FF7A7503240 Relevance: 1.5, APIs: 1, Instructions: 48
filenativeCOMMON

Function 00007FF7A744FEBF Relevance: 12.1, APIs: 8, Instructions: 71
threadCOMMON

Function 00007FF7A744B9AF Relevance: 7.6, APIs: 5, Instructions: 108
COMMON

Function 00007FF7A7450A63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Function 00007FF7A74566F0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 131
COMMON