Edit tour

Windows Analysis Report
eOlMJXTCUH.exe

Overview

General Information

Sample name:	eOlMJXTCUH.exe renamed because original name is a hash value
Original sample name:	bbea55c736e2eccfcbaf36bd4467c419.exe
Analysis ID:	1520455
MD5:	bbea55c736e2eccfcbaf36bd4467c419
SHA1:	02cb4b74b3af0a545b922be9161ff588221cde5c
SHA256:	7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
Tags:	exeuser-abuse_ch
Infos:

Detection

BlackMoon

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

eOlMJXTCUH.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\eOlMJXTCUH.exe" MD5: BBEA55C736E2ECCFCBAF36BD4467C419)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eOlMJXTCUH.exe	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
eOlMJXTCUH.exe	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: eOlMJXTCUH.exe PID: 2884	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x92ba0:$s1: blackmoon 0x92be0:$s2: BlackMoon RunTime Error:
0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x91967:$s1: blackmoon 0x919a7:$s2: BlackMoon RunTime Error:
0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x91967:$s1: blackmoon 0x919a7:$s2: BlackMoon RunTime Error:
0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x94ba0:$s1: blackmoon 0x94be0:$s2: BlackMoon RunTime Error:
0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x94ba0:$s1: blackmoon 0x94be0:$s2: BlackMoon RunTime Error:
0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x92ba0:$s1: blackmoon 0x92be0:$s2: BlackMoon RunTime Error:
0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x9d2b0:$s1: blackmoon 0x9d2f0:$s2: BlackMoon RunTime Error:
0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x9d2b0:$s1: blackmoon 0x9d2f0:$s2: BlackMoon RunTime Error:
0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:
0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Machine Learning detection for sample

Source: eOlMJXTCUH.exe

Joe Sandbox ML: detected

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/
Source: eOlMJXTCUH.exe	String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo
Source: eOlMJXTCUH.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://top6666.top/top/version.txt
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: eOlMJXTCUH.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: eOlMJXTCUH.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C71E0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7155C71E0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155C7070 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF7155C7070

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: eOlMJXTCUH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eOlMJXTCUH.exe PID: 2884, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155F9FC0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF7155F9FC0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D9930: DeviceIoControl,

0_2_00007FF7155D9930

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C8690	0_2_00007FF7155C8690
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6A3F	0_2_00007FF7155B6A3F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B7245	0_2_00007FF7155B7245
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B8220	0_2_00007FF7155B8220
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDF00	0_2_00007FF7155CDF00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D5F00	0_2_00007FF7155D5F00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B62F1	0_2_00007FF7155B62F1
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B66E7	0_2_00007FF7155B66E7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6D5E	0_2_00007FF7155B6D5E
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B696A	0_2_00007FF7155B696A
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C5150	0_2_00007FF7155C5150
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6124	0_2_00007FF7155B6124
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B6E05	0_2_00007FF7155B6E05
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CCE10	0_2_00007FF7155CCE10
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B61DE	0_2_00007FF7155B61DE
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C99F0	0_2_00007FF7155C99F0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B65BC	0_2_00007FF7155B65BC
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D21A0	0_2_00007FF7155D21A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D51B0	0_2_00007FF7155D51B0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C2C80	0_2_00007FF7155C2C80
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155C147F	0_2_00007FF7155C147F
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155DA090	0_2_00007FF7155DA090
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3460	0_2_00007FF7155D3460
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B585C	0_2_00007FF7155B585C
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CDC50	0_2_00007FF7155CDC50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CAC30	0_2_00007FF7155CAC30
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B650B	0_2_00007FF7155B650B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5CD7	0_2_00007FF7155B5CD7
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D8CA0	0_2_00007FF7155D8CA0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D78A0	0_2_00007FF7155D78A0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B709B	0_2_00007FF7155B709B
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CFCB0	0_2_00007FF7155CFCB0
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B9B90	0_2_00007FF7155B9B90
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B5F95	0_2_00007FF7155B5F95
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CD390	0_2_00007FF7155CD390
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CC770	0_2_00007FF7155CC770
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D0B50	0_2_00007FF7155D0B50
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155D3F20	0_2_00007FF7155D3F20
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155CE400	0_2_00007FF7155CE400
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155EFC00	0_2_00007FF7155EFC00
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Code function: 0_2_00007FF7155B57A5	0_2_00007FF7155B57A5

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: String function: 00007FF7155B75E0 appears 47 times

Source: eOlMJXTCUH.exe, 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe, 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe
Source: eOlMJXTCUH.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff71560b5c9.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff71560b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff715608390.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff715608390.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155ffc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155ffc80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.eOlMJXTCUH.exe.7ff7155a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: eOlMJXTCUH.exe	Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: eOlMJXTCUH.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal68.rans.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155EF760 _invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte,

0_2_00007FF7155EF760

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03

Source: eOlMJXTCUH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: eOlMJXTCUH.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\eOlMJXTCUH.exe "C:\Users\user\Desktop\eOlMJXTCUH.exe"
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: d3dcompiler_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eOlMJXTCUH.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: eOlMJXTCUH.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: eOlMJXTCUH.exe

Static file information: File size 2647552 > 1048576

Source: eOlMJXTCUH.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00

Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eOlMJXTCUH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eOlMJXTCUH.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: eOlMJXTCUH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: eOlMJXTCUH.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: eOlMJXTCUH.exe
Source:	Binary string: C:\Windows\Start.pdb source: eOlMJXTCUH.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: eOlMJXTCUH.exe

Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eOlMJXTCUH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155B8220 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,

0_2_00007FF7155B8220

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D3A91 push 8B48D68Bh; retf

0_2_00007FF7155D3A9C

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155DA090 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

0_2_00007FF7155DA090

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB400 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7155FB400

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155DA090

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

0_2_00007FF7155B8220

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155D8880 GetProcessHeap,_Init_thread_footer,_Init_thread_footer,

0_2_00007FF7155D8880

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FA958 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7155FA958

Source: C:\Users\user\Desktop\eOlMJXTCUH.exe

Code function: 0_2_00007FF7155FB280 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7155FB280

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	3 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eOlMJXTCUH.exe	47%	ReversingLabs
eOlMJXTCUH.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo	eOlMJXTCUH.exe	false		unknown
http://www.eyuyan.com)DVarFileInfo$	eOlMJXTCUH.exe	false		unknown
http://top6666.top/top/version.txt	eOlMJXTCUH.exe	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	eOlMJXTCUH.exe	false	URL Reputation: safe	unknown
http://103.239.244.218:8898/	eOlMJXTCUH.exe	false		unknown
http://ocsp.thawte.com0	eOlMJXTCUH.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520455
Start date and time:	2024-09-27 11:19:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eOlMJXTCUH.exe renamed because original name is a hash value
Original Sample Name:	bbea55c736e2eccfcbaf36bd4467c419.exe
Detection:	MAL
Classification:	mal68.rans.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 97
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target eOlMJXTCUH.exe, PID 2884 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: eOlMJXTCUH.exe

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.704600603666371
TrID:	Win64 Executable Console (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	eOlMJXTCUH.exe
File size:	2'647'552 bytes
MD5:	bbea55c736e2eccfcbaf36bd4467c419
SHA1:	02cb4b74b3af0a545b922be9161ff588221cde5c
SHA256:	7d7f580de5a46d90941ed4c7db9ac24e0117a957614324647d6c528b7d2f1833
SHA512:	c1057e8fa09b36ee7aa9fbdafaf00392a6725a8a080c2c0d4eb5da0e65f0a73b011f66618c3aeee1e674664f42eaea841570be72bce398e72067a70d824ad05f
SSDEEP:	49152:ftAectIwG0HVzQOhOXjJCEKEQIvufRoGp:fiG0VcOhOzJzLYoGp
TLSH:	45C55C02B5DC9E69C81AD33D8951111ED2A9FD085FA10B8783D84C745FFB4BA0DA9BE3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................>.......................................P.............'.1.............2.......2.......2.R.....2.......Rich...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14005ae54
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x663E6C1A [Fri May 10 18:48:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4e9653c358320c642fba6c227fa69d9f

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F07B8B79018h
dec eax
add esp, 28h
jmp 00007F07B8B78A67h
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00003E64h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [00003E49h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F07B8B78BC7h
dec eax
lea edx, dword ptr [0022503Bh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F07B8B792BEh
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov ecx, ebx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor ecx, 756E6547h
inc esp
mov edx, edx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or ecx, eax
cpuid
inc ecx
xor edx, 49656E69h
mov dword ptr [esp], eax
inc ebp
or ecx, edx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007F07B8B78C42h
dec eax
or dword ptr [00229117h], FFFFFFFFh
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F07B8B78C1Ah
cmp eax, 00020660h
je 00007F07B8B78C13h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x280080	0x9b0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x280a30	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28a000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x286000	0x30a8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28b000	0x170	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x279960	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x279b80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2799d0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5e000	0xac0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c614	0x5c800	1df2fba203ccf736d7bc63afccd7df4f	False	0.48071157094594597	data	6.316272272877598	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5e000	0x225a44	0x225c00	8946a46d118c5218c46e6bdd4876caf8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x284000	0x1a88	0x800	627227ef91d5e2b0788c9dfcac41e984	False	0.244140625	DOS executable (block device driver \322f\324\377\3772)	3.3901758627178813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x286000	0x30a8	0x3200	db9254fc84934604e30bb4fb62b48eb8	False	0.46671875	data	5.742411815812642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x28a000	0x1e0	0x200	36134ee3ad78dcf3977297171cc7b586	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28b000	0x170	0x200	5feab6d22e7711133c8455f3705261b9	False	0.576171875	data	4.111487666917551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x28a060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_43.dll	D3DCompile
IMM32.dll	ImmSetCompositionWindow, ImmGetContext, ImmReleaseContext
WINHTTP.dll	WinHttpOpenRequest, WinHttpOpen, WinHttpSendRequest, WinHttpConnect, WinHttpQueryDataAvailable, WinHttpReceiveResponse, WinHttpCloseHandle, WinHttpReadData
KERNEL32.dll	UnhandledExceptionFilter, GetModuleHandleW, CreateEventW, WaitForSingleObjectEx, ResetEvent, LoadLibraryA, GetProcAddress, GetTickCount, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, QueryPerformanceFrequency, QueryPerformanceCounter, HeapFree, VirtualFree, DeviceIoControl, VirtualAlloc, InitializeCriticalSectionEx, CreateFileW, GetCurrentThreadId, GetModuleHandleA, HeapSize, GetLastError, HeapReAlloc, CloseHandle, RaiseException, HeapAlloc, HeapDestroy, DeleteCriticalSection, GetCurrentProcessId, IsProcessorFeaturePresent, ReadFile, IsDebuggerPresent, Process32First, SetConsoleTitleA, GetCurrentProcess, WriteFile, TerminateProcess, CreatePipe, GetTempPathW, WaitForSingleObject, OpenProcess, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetTempPathA, K32GetModuleFileNameExA, LockResource, Process32Next, WritePrivateProfileStringA, FindResourceExW, LoadResource, FindResourceW, K32EnumProcesses, GetStartupInfoA, CreateProcessW, WideCharToMultiByte, GetConsoleWindow, lstrcmpiA, CreateProcessA, GetPrivateProfileIntA, GetPrivateProfileStringA, SetConsoleTitleW, SetEvent, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, InitOnceBeginInitialize, InitOnceComplete, OutputDebugStringW, SetUnhandledExceptionFilter, SizeofResource, GetSystemTimeAsFileTime, GetProcessHeap, InitializeSListHead
USER32.dll	GetMessageA, DispatchMessageA, GetWindowRect, DestroyWindow, SetWindowPos, GetClassNameA, ShowWindow, GetAsyncKeyState, GetWindowTextA, MessageBoxA, MoveWindow, DefWindowProcA, SetLayeredWindowAttributes, TranslateMessage, LoadIconA, PeekMessageA, GetSystemMetrics, SetWindowLongPtrA, RegisterClassExA, GetKeyState, LoadCursorA, ScreenToClient, GetCapture, ClientToScreen, GetForegroundWindow, SetCapture, SetCursor, GetClientRect, ReleaseCapture, SetCursorPos, GetCursorPos, OpenClipboard, PostQuitMessage, GetWindowThreadProcessId, SetClipboardData, GetClipboardData, CloseClipboard, EmptyClipboard, EnumWindows
ADVAPI32.dll	RegCreateKeyW, RegDeleteKeyW, RegCloseKey, RegSetKeyValueW, RegOpenKeyW
MSVCP140.dll	?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, _Xtime_get_ticks, _Thrd_detach, _Query_perf_counter, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, _Cnd_do_broadcast_at_thread_exit, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Throw_C_error@std@@YAXH@Z, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_frequency, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z, _Thrd_sleep, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
ntdll.dll	RtlVirtualUnwind, RtlInitUnicodeString, RtlCaptureContext, RtlLookupFunctionEntry, NtQuerySystemInformation
WS2_32.dll	inet_addr, gethostbyname, recv, connect, socket, send, closesocket, WSACleanup, htons, WSAStartup
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memcmp, memchr, memcpy, memmove, memset, _CxxThrowException, __current_exception_context, __current_exception, __C_specific_handler, strstr, __std_exception_copy, __std_exception_destroy, __std_terminate
api-ms-win-crt-runtime-l1-1-0.dll	_invalid_parameter_noinfo_noreturn, _errno, _register_thread_local_exe_atexit_callback, exit, terminate, abort, _c_exit, _invalid_parameter_noinfo, _beginthreadex, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, __p___argv, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argc
api-ms-win-crt-stdio-l1-1-0.dll	fopen, __acrt_iob_func, fflush, fclose, _get_stream_buffer_pointers, __p__commode, _fseeki64, _set_fmode, fseek, fsetpos, ungetc, __stdio_common_vfprintf, setvbuf, fgetpos, fgetc, fwrite, fputc, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, ftell
api-ms-win-crt-string-l1-1-0.dll	_stricmp, strncmp, isdigit, tolower, strcpy_s, isspace, strcmp
api-ms-win-crt-utility-l1-1-0.dll	rand, srand, qsort
api-ms-win-crt-heap-l1-1-0.dll	realloc, _callnewh, free, _set_new_mode, malloc
api-ms-win-crt-convert-l1-1-0.dll	strtod, atoi, strtol
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file, _wremove
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	fmod, sqrtf, sinf, sqrt, pow, _dclass, floorf, __setusermatherr, ceilf, cosf, sin, cos, fmodf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
cJSON_AddArrayToObject	1	0x140055d20
cJSON_AddBoolToObject	2	0x140055910
cJSON_AddFalseToObject	3	0x140055830
cJSON_AddItemReferenceToArray	4	0x1400555a0
cJSON_AddItemReferenceToObject	5	0x140055620
cJSON_AddItemToArray	6	0x140055400
cJSON_AddItemToObject	7	0x140055560
cJSON_AddItemToObjectCS	8	0x140055580
cJSON_AddNullToObject	9	0x140055670
cJSON_AddNumberToObject	10	0x140055a00
cJSON_AddObjectToObject	11	0x140055c40
cJSON_AddRawToObject	12	0x140055b80
cJSON_AddStringToObject	13	0x140055ac0
cJSON_AddTrueToObject	14	0x140055750
cJSON_Compare	15	0x1400572b0
cJSON_CreateArray	16	0x140056960
cJSON_CreateArrayReference	17	0x140056810
cJSON_CreateBool	18	0x140056590
cJSON_CreateDoubleArray	19	0x140056c60
cJSON_CreateFalse	20	0x140056550
cJSON_CreateFloatArray	21	0x140056b20
cJSON_CreateIntArray	22	0x1400569e0
cJSON_CreateNull	23	0x1400564d0
cJSON_CreateNumber	24	0x1400565d0
cJSON_CreateObject	25	0x1400569a0
cJSON_CreateObjectReference	26	0x1400567c0
cJSON_CreateRaw	27	0x140056860
cJSON_CreateString	28	0x140056670
cJSON_CreateStringArray	29	0x140056d90
cJSON_CreateStringReference	30	0x140056770
cJSON_CreateTrue	31	0x140056510
cJSON_Delete	32	0x140053310
cJSON_DeleteItemFromArray	33	0x140055f10
cJSON_DeleteItemFromObject	34	0x1400560b0
cJSON_DeleteItemFromObjectCaseSensitive	35	0x140056140
cJSON_DetachItemFromArray	36	0x140055e70
cJSON_DetachItemFromObject	37	0x140055fa0
cJSON_DetachItemFromObjectCaseSensitive	38	0x140056020
cJSON_DetachItemViaPointer	39	0x140055e00
cJSON_Duplicate	40	0x140056ec0
cJSON_GetArrayItem	41	0x140055200
cJSON_GetArraySize	42	0x1400551e0
cJSON_GetErrorPtr	43	0x1400531d0
cJSON_GetNumberValue	44	0x140053200
cJSON_GetObjectItem	45	0x140055350
cJSON_GetObjectItemCaseSensitive	46	0x140055360
cJSON_GetStringValue	47	0x1400531e0
cJSON_HasObjectItem	48	0x140055370
cJSON_InitHooks	49	0x140053270
cJSON_InsertItemInArray	50	0x1400561d0
cJSON_IsArray	51	0x140057280
cJSON_IsBool	52	0x140057230
cJSON_IsFalse	53	0x140057210
cJSON_IsInvalid	54	0x140057200
cJSON_IsNull	55	0x140057250
cJSON_IsNumber	56	0x140057260
cJSON_IsObject	57	0x140057290
cJSON_IsRaw	58	0x1400572a0
cJSON_IsString	59	0x140057270
cJSON_IsTrue	60	0x140057220
cJSON_Minify	61	0x1400570c0
cJSON_Parse	62	0x1400541b0
cJSON_ParseWithLength	63	0x1400541e0
cJSON_ParseWithLengthOpts	64	0x140053f50
cJSON_ParseWithOpts	65	0x140053f20
cJSON_Print	66	0x140054330
cJSON_PrintBuffered	67	0x140054350
cJSON_PrintPreallocated	68	0x140054410
cJSON_PrintUnformatted	69	0x140054340
cJSON_ReplaceItemInArray	70	0x140056390
cJSON_ReplaceItemInObject	71	0x1400564b0
cJSON_ReplaceItemInObjectCaseSensitive	72	0x1400564c0
cJSON_ReplaceItemViaPointer	73	0x140056280
cJSON_SetNumberHelper	74	0x140053390
cJSON_SetValuestring	75	0x1400533d0
cJSON_Version	76	0x140053220
cJSON_free	77	0x1400575d0
cJSON_malloc	78	0x1400575c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:20:14
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\eOlMJXTCUH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\eOlMJXTCUH.exe"
Imagebase:	0x7ff7155a0000
File size:	2'647'552 bytes
MD5 hash:	BBEA55C736E2ECCFCBAF36BD4467C419
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000000.1445088590.00007FF7155FE000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:20:14
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF7155D8CA0 Relevance: 82.8, APIs: 33, Strings: 14, Instructions: 509filethreadCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7155D8CE2
GetTempPathW.KERNEL32 ref: 00007FF7155D8CF0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D8D83
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8E24
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8ECB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8F11
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8F67

Part of subcall function 00007FF7155D8690: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7155DCF5C,?,?,?,00007FF7155A10DD), ref: 00007FF7155D869B

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7155D8FE6
GetCurrentThreadId.KERNEL32 ref: 00007FF7155D8FEF
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7155D8FFA
CreateFileW.KERNEL32 ref: 00007FF7155D9027
CloseHandle.KERNEL32 ref: 00007FF7155D903A

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D905D
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7155D90A1
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7155D90E5
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D915A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D919A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D91D6

Strings

[<] Loading vulnerable driver, Name: , xrefs: 00007FF7155D9116
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF7155D933B
gfff, xrefs: 00007FF7155D90AA
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF7155D9444
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF7155D9459
[-] Failed to create vulnerable driver file, xrefs: 00007FF7155D92B7
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF7155D9483
\\.\Nal, xrefs: 00007FF7155D9020, 00007FF7155D939A
[-] \Device\Nal is already in use., xrefs: 00007FF7155D9040
[-] Failed to get temp path, xrefs: 00007FF7155D8D66
ntoskrnl.exe, xrefs: 00007FF7155D93D5
[-] Can't find TEMP folder, xrefs: 00007FF7155D91B9
[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF7155D946E
[-] Failed to load driver iqvw64e.sys, xrefs: 00007FF7155D948C

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_V01@@$rand$?setstate@?$basic_ios@_?uncaught_exception@std@@CloseCreateCurrentFileHandleOsfx@?$basic_ostream@_PathTempThreadXlength_error@std@@_time64memsetsrand
String ID: [!] Failed to ClearMmUnloadedDrivers$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver iqvw64e.sys$[-] Failed to register and start service for the vulnerable driver$[-] \Device\Nal is already in use.$[<] Loading vulnerable driver, Name: $\\.\Nal$gfff$ntoskrnl.exe
API String ID: 1183820329-3036430678
Opcode ID: 6c3b7febbf1366668262c58f63a2642490fee6c67d57293695a2c684cb27a9f3
Instruction ID: 3629ce0715bbcf08d7250cb23e3b9e4ffb053019cc8fdd6f4f155aa202ff5df4
Opcode Fuzzy Hash: 6c3b7febbf1366668262c58f63a2642490fee6c67d57293695a2c684cb27a9f3
Instruction Fuzzy Hash: 22326126A08E4285FB08EB65E8543A9A373FB45F74F904236DA6D43AB5DF7CE448C710

Function 00007FF7155B8220 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B828A
LoadLibraryA.KERNEL32 ref: 00007FF7155B82A2
InitOnceComplete.KERNEL32 ref: 00007FF7155B82B4
LoadLibraryA.KERNEL32 ref: 00007FF7155B82C5
GetProcAddress.KERNEL32 ref: 00007FF7155B82D5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B82FB
InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B837B
LoadLibraryA.KERNEL32 ref: 00007FF7155B8393
InitOnceComplete.KERNEL32 ref: 00007FF7155B83A5
LoadLibraryA.KERNEL32 ref: 00007FF7155B83B6
GetProcAddress.KERNEL32 ref: 00007FF7155B83C6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B83ED
InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B846F
LoadLibraryA.KERNEL32 ref: 00007FF7155B8487
InitOnceComplete.KERNEL32 ref: 00007FF7155B8499
LoadLibraryA.KERNEL32 ref: 00007FF7155B84AA
GetProcAddress.KERNEL32 ref: 00007FF7155B84BA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B84E2

Strings

user32.dll, xrefs: 00007FF7155B829B, 00007FF7155B838C, 00007FF7155B8480
win32u.dll, xrefs: 00007FF7155B82BE, 00007FF7155B83AF, 00007FF7155B84A3
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B82CE, 00007FF7155B83BF, 00007FF7155B84B3

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: d5f40acf8f3afe46fa0fe008b69f5f493da046fc0fa54d90f83a0d6a8a3422e7
Instruction ID: dc68f202fda108d9ce82fc320cbd97ff8a5cf5a6c0acf346ebd86032aa705b0c
Opcode Fuzzy Hash: d5f40acf8f3afe46fa0fe008b69f5f493da046fc0fa54d90f83a0d6a8a3422e7
Instruction Fuzzy Hash: 5C81203AA08E0186F794EB25E858369B3E6BB84F50FC14136D69D42670EF3DD559CB20

Function 00007FF7155EFC00 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 255libraryloaderCOMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFC28
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFC42
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFC6C
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFC97
std::_Facet_Register.LIBCPMT ref: 00007FF7155EFCB0
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFCCF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155EFCF5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFDC5
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7155F0B92), ref: 00007FF7155EFDF2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155EFE21
InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155EFECC
LoadLibraryA.KERNEL32 ref: 00007FF7155EFEE7
InitOnceComplete.KERNEL32 ref: 00007FF7155EFEF9
LoadLibraryA.KERNEL32 ref: 00007FF7155EFF0E
GetProcAddress.KERNEL32 ref: 00007FF7155EFF1E

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155EFF91

Strings

user32.dll, xrefs: 00007FF7155EFEE0
win32u.dll, xrefs: 00007FF7155EFF07
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155EFF17

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskInitLibraryLoadLockit@std@@Once$??0_??1_AddressBeginBid@locale@std@@CompleteD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@InitializeLocimp@12@ProcRegisterV42@@Vfacet@locale@2@_invalid_parameter_noinfo_noreturnabortmallocmemcpystd::_
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 160556041-2075034528
Opcode ID: c34d8c8ee70445bc7e05ff25bb86cda10053a8d31ee08f4a4301872781474bda
Instruction ID: df3850a0790fe3577ff240e91fabd9c20f9f7863b73712f10884199bc3c7eb7c
Opcode Fuzzy Hash: c34d8c8ee70445bc7e05ff25bb86cda10053a8d31ee08f4a4301872781474bda
Instruction Fuzzy Hash: FFB1B436B08E4189E758AF64E4002A9B3A2FF48FA4F844632DA5D57BB4DF3CE159C310

Function 00007FF7155DA090 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 201nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF7155DA0CC
VirtualFree.KERNEL32 ref: 00007FF7155DA0EB
VirtualAlloc.KERNEL32 ref: 00007FF7155DA100
NtQuerySystemInformation.NTDLL ref: 00007FF7155DA119
GetCurrentProcessId.KERNEL32 ref: 00007FF7155DA17A
VirtualFree.KERNEL32 ref: 00007FF7155DA1B8
memset.VCRUNTIME140 ref: 00007FF7155DA2BA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DA2F4

Part of subcall function 00007FF7155D9890: DeviceIoControl.KERNEL32 ref: 00007FF7155D98F8

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DA353
VirtualFree.KERNEL32 ref: 00007FF7155DA3A5

Strings

[!] Failed to find driver_section, xrefs: 00007FF7155DA371
[!] Failed to write driver name length, xrefs: 00007FF7155DA329
[!] Failed to find driver_object, xrefs: 00007FF7155DA37D
[!] Failed to find driver name, xrefs: 00007FF7155DA365
[!] Failed to find device_object, xrefs: 00007FF7155DA389
[!] Failed to read driver name, xrefs: 00007FF7155DA2D7
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF7155DA332

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@Virtual$Free$??6?$basic_ostream@_InformationQuerySystemU?$char_traits@_V01@@W@std@@@std@@$AllocControlCurrentDeviceProcessmemset
String ID: [!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 2853312854-3011715350
Opcode ID: c8924b274c92300cc0d865ce196ea4adece3c5e736b0290496aa24c04ca0b89d
Instruction ID: f41dcd7ae66367b1a0ddad399bff9a62b43958d5db71891b250363ff966e8350
Opcode Fuzzy Hash: c8924b274c92300cc0d865ce196ea4adece3c5e736b0290496aa24c04ca0b89d
Instruction Fuzzy Hash: F481D33AB08E4285EB58AF61D4403F9A3A3EF45FA8F805031DD5D17AA5DF3CE5498320

Function 00007FF7155D21A0 Relevance: 23.5, APIs: 18, Instructions: 1037COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2328
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D235B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D23FB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D24AF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D24D8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2508
memset.VCRUNTIME140 ref: 00007FF7155D251E
memset.VCRUNTIME140 ref: 00007FF7155D252C
memset.VCRUNTIME140 ref: 00007FF7155D2539
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2A3B
memset.VCRUNTIME140 ref: 00007FF7155D2A53
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2C39
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2C5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2C9F

Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D3957
Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D3986
Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D39B5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D30BB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D30E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D3109
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D32AE

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: 32ec24de8602e51d2e439e979dfa52751790b15f82c8533318112153f1c043c3
Instruction ID: 30a093f24e85ca013df6a9732f55f28402b1c9a8fedad9056dffb27f047b8206
Opcode Fuzzy Hash: 32ec24de8602e51d2e439e979dfa52751790b15f82c8533318112153f1c043c3
Instruction Fuzzy Hash: B9B2F137A08B848AE718DF26D04067DB7B1FB48BA4F458336EE4953765DB38E499CB10

Function 00007FF7155D5F00 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 194COMMON

Download Yara Rule

APIs

D3DCompile.D3DCOMPILER_43 ref: 00007FF7155D5F9C
D3DCompile.D3DCOMPILER_43 ref: 00007FF7155D6161
memset.VCRUNTIME140 ref: 00007FF7155D61D2

Part of subcall function 00007FF7155D5D00: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D5D98

Strings

TEXCOORD, xrefs: 00007FF7155D6010
POSITION, xrefs: 00007FF7155D6002
COLOR, xrefs: 00007FF7155D601E
@, xrefs: 00007FF7155D60F4
cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; , xrefs: 00007FF7155D5F6C
main, xrefs: 00007FF7155D5F60
ps_4_0, xrefs: 00007FF7155D613C
struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : , xrefs: 00007FF7155D6131
vs_4_0, xrefs: 00007FF7155D5F77

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Compile$mallocmemset
String ID: @$COLOR$POSITION$TEXCOORD$cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; $main$ps_4_0$struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : $vs_4_0
API String ID: 2232712580-597721571
Opcode ID: 8c6829e22f59b4ec5b7c6328ad1754db81dcdc64489c9d9dd4f43be0d5beea64
Instruction ID: 2faeafb219f79d46a3ac3b2230146ac54390c415eee02522eceb1950fbde2fc6
Opcode Fuzzy Hash: 8c6829e22f59b4ec5b7c6328ad1754db81dcdc64489c9d9dd4f43be0d5beea64
Instruction Fuzzy Hash: 5AB150B6A04F8589E724DF25E8443A9B7A4F748F98F804126DA8D47B24DF7CE159CB20

Function 00007FF7155EF760 Relevance: 18.2, APIs: 12, Instructions: 228COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000010,00007FF7155EF2B0), ref: 00007FF7155EF79D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155EF7CE
FindResourceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF84D
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF861
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF86F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF883
FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF8FA
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF912

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF924
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF93C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF99F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7155EF2B0), ref: 00007FF7155EF9F1

Part of subcall function 00007FF7155E36C0: _CxxThrowException.VCRUNTIME140(?,?,?,?,00007FF7155EFA45), ref: 00007FF7155E36DC

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Resource$ByteCharFindLoadLockMultiSizeofWide$Concurrency::cancel_current_taskExceptionThrow_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3753685364-0
Opcode ID: 1df703b592d0aa6725df9a0ef72cf0bbe26832c107805d72e2f86606f38846f7
Instruction ID: 5b032c7c15e32accfb3a6da9c01b6ec66059c55e1a487f595a2f37aabae25ed1
Opcode Fuzzy Hash: 1df703b592d0aa6725df9a0ef72cf0bbe26832c107805d72e2f86606f38846f7
Instruction Fuzzy Hash: C971D82AB09E0285EA5CAB15A444179F2D3FF44FE4F848535DA6E577A4EF3CE449C320

Function 00007FF7155C99F0 Relevance: 15.8, APIs: 10, Instructions: 843COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C9B37
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CA0C2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CA0F2
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CA5A4
memcpy.VCRUNTIME140 ref: 00007FF7155CA5C7
memcpy.VCRUNTIME140 ref: 00007FF7155CA5E2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CA608
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CA636
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CA677
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CA6A2

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: 1cae617d8c96f95f755bc0b6b1272b00218617505eb0b1bd904ea95b7d9aa52b
Instruction ID: d42009e02a644d80a9d15068f73f41aead4bdf29ab8c5d0a42f2baff93e88c12
Opcode Fuzzy Hash: 1cae617d8c96f95f755bc0b6b1272b00218617505eb0b1bd904ea95b7d9aa52b
Instruction Fuzzy Hash: F072BD12E28BE845D3068736504227AE7E6AF6EBC4F19C333ED49A6671DB3DE446C710

Function 00007FF7155F9FC0 Relevance: 13.6, APIs: 9, Instructions: 140nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF7155F9FF0
VirtualFree.KERNEL32 ref: 00007FF7155FA010
VirtualAlloc.KERNEL32 ref: 00007FF7155FA026
NtQuerySystemInformation.NTDLL ref: 00007FF7155FA041
VirtualFree.KERNEL32 ref: 00007FF7155FA062
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7155FA0F5
VirtualFree.KERNEL32 ref: 00007FF7155FA151
VirtualFree.KERNEL32 ref: 00007FF7155FA193
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155FA1CD

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: cee0452abbe4e51be29b99d355f00106c4d97a53cbf14374b54ecd2ee6a57106
Instruction ID: 81e8fbb22e9a52f33deaa4c3492d1cd66c302b994c0d4fd0f70dd2b8936ec3f1
Opcode Fuzzy Hash: cee0452abbe4e51be29b99d355f00106c4d97a53cbf14374b54ecd2ee6a57106
Instruction Fuzzy Hash: EF51B426B08D4142FB68AB15E804329A363EB85FB4FC44236DA5E476F8DF7DE4898710

Function 00007FF7155CD390 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD482
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD4B0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD4DF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD50A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD708
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD736
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD765
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CD790

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 3878fdb2749f4734c70dd1c737b86e02145e25923629cf4e9aab1c59f069faf7
Instruction ID: 44a548d0b109dc666b91c0401a742b1458ab9a0dcd64cf661fa3f3008ff37e0e
Opcode Fuzzy Hash: 3878fdb2749f4734c70dd1c737b86e02145e25923629cf4e9aab1c59f069faf7
Instruction Fuzzy Hash: 09B1A326E28FCC81E223A63750821F5E250AF7F7D4F2DDB23F98475AB2AB2461D15650

Function 00007FF7155C7070 Relevance: 12.1, APIs: 8, Instructions: 90clipboardCOMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF7155C70CA

Part of subcall function 00007FF7155FA7D8: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70CF), ref: 00007FF7155FA7E8
Part of subcall function 00007FF7155FA7D8: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70CF), ref: 00007FF7155FA828

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C70FB
OpenClipboard.USER32 ref: 00007FF7155C7109

Part of subcall function 00007FF7155FA838: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70A0), ref: 00007FF7155FA848

GetClipboardData.USER32 ref: 00007FF7155C7125
CloseClipboard.USER32 ref: 00007FF7155C7133
GlobalLock.KERNEL32 ref: 00007FF7155C714E
GlobalUnlock.KERNEL32 ref: 00007FF7155C71B2
CloseClipboard.USER32 ref: 00007FF7155C71B8

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Clipboard$CriticalSection$CloseEnterGlobal$DataInit_thread_footerLeaveLockOpenUnlockfree
String ID:
API String ID: 1560965594-0
Opcode ID: ef31e80acc1fe1ab0a68e6eef7edea8cbfcdd5a283e7309483a9938ef71b8cbb
Instruction ID: aca5d5e36bbb8832b6f0278350fc3308f093caddf20dfd4e8f9661241e1ab840
Opcode Fuzzy Hash: ef31e80acc1fe1ab0a68e6eef7edea8cbfcdd5a283e7309483a9938ef71b8cbb
Instruction Fuzzy Hash: 3A41F168A2AE4685FB48AB15B850135A7A6AF44F71FC40039D90E467B1DF2CF45DC731

Function 00007FF7155C71E0 Relevance: 12.1, APIs: 8, Instructions: 82clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7155C71EB
GlobalAlloc.KERNEL32 ref: 00007FF7155C725B
GlobalLock.KERNEL32 ref: 00007FF7155C726C
GlobalUnlock.KERNEL32 ref: 00007FF7155C72BE
EmptyClipboard.USER32 ref: 00007FF7155C72C4
SetClipboardData.USER32 ref: 00007FF7155C72D2
GlobalFree.KERNEL32 ref: 00007FF7155C72E0
CloseClipboard.USER32 ref: 00007FF7155C72E6

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: a0de574d7b4097b32ff72e0bc7359d55448810927296f8744780f7e27b8dc909
Instruction ID: cfc48336fa679821547aa85c48bb55db2155a88336efeabfea65e05aa433dd46
Opcode Fuzzy Hash: a0de574d7b4097b32ff72e0bc7359d55448810927296f8744780f7e27b8dc909
Instruction Fuzzy Hash: 6A31F619A29E4246EB58AF60E414239E3A6FF45FB0F840535EA4F46BB4DF3CE4498334

Function 00007FF7155D0B50 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D0D2D
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D0DA5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D0E97
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D0F5B

Strings

(, xrefs: 00007FF7155D10AD

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: c8e5f86f65f5ad157d40fe4dc91b9e292f271e74b3252ca97500ac88d73fbee6
Instruction ID: 62acda1e9b5450380c5b614e492e27679cb3e8c53194e6ccb655e1c5dcf3a206
Opcode Fuzzy Hash: c8e5f86f65f5ad157d40fe4dc91b9e292f271e74b3252ca97500ac88d73fbee6
Instruction Fuzzy Hash: EE12A233924B888AD316DF3694811ACB361FF6DB98B19D712EA1933675EB34F1A5C700

Function 00007FF7155CFCB0 Relevance: 9.9, APIs: 6, Instructions: 859COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CFEBE
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CFF48
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CFFD5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D0062
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D012B
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155D096D

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 2baae64f0a07a21af1e8ba19d5ad197a64105e351c2a384a0658151743b1f0a7
Instruction ID: 5820b4147f797b7f78007cde0659be92616594c50fb46837e4f283f8b15867b2
Opcode Fuzzy Hash: 2baae64f0a07a21af1e8ba19d5ad197a64105e351c2a384a0658151743b1f0a7
Instruction Fuzzy Hash: E9924C33920B889AD756CF3794810A8B760FFADB94719D716EB0923771DB34F1A59B00

Function 00007FF7155FB400 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF7155B5548), ref: 00007FF7155FB416
GetLastError.KERNEL32 ref: 00007FF7155FB461
IsDebuggerPresent.KERNEL32 ref: 00007FF7155FB479
OutputDebugStringW.KERNEL32 ref: 00007FF7155FB48A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7155FB483

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 59978aa0e99f98408fa56683d24922118f46a79fa78f021a7860229acf276d40
Instruction ID: 9727e5d8aa6ea9cdf8327dbda9d31049f5ec111bafab9db168abbe5a41874330
Opcode Fuzzy Hash: 59978aa0e99f98408fa56683d24922118f46a79fa78f021a7860229acf276d40
Instruction Fuzzy Hash: 9B114F36A14F4297F748AB22DA4437973A6FB44B64F844136C64D82A60EF3CE478C720

Function 00007FF7155CC770 Relevance: 7.8, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CC7FA
memset.VCRUNTIME140 ref: 00007FF7155CC8EA
memset.VCRUNTIME140 ref: 00007FF7155CC903
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CC980
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CCBBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CCC09

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: freemallocmemset
String ID:
API String ID: 3809226132-0
Opcode ID: a713e0f359786db582f7f3262865d37e8f88f0ac2ff049087d256d2efde3257c
Instruction ID: 431d08a87e8273160a865972e7ea7ab86427e44c77cc7d4b33bc2df73719cc14
Opcode Fuzzy Hash: a713e0f359786db582f7f3262865d37e8f88f0ac2ff049087d256d2efde3257c
Instruction Fuzzy Hash: 8CD1F436A18AC486E729DB26D0852B9F365FF58B94F489331DA9C13370EF38E555CB20

Function 00007FF7155D8880 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7155D88C9
_Init_thread_footer.LIBCMT ref: 00007FF7155D88FE

Part of subcall function 00007FF7155FA7D8: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70CF), ref: 00007FF7155FA7E8
Part of subcall function 00007FF7155FA7D8: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70CF), ref: 00007FF7155FA828

_Init_thread_footer.LIBCMT ref: 00007FF7155D897A

Part of subcall function 00007FF7155FA838: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70A0), ref: 00007FF7155FA848

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInit_thread_footer$HeapLeaveProcess
String ID:
API String ID: 3391058595-0
Opcode ID: 55f051845337419d7e9ac7d39ec191685543e7dbea6fe99633ae4b25728e3053
Instruction ID: d1b7aa9861889ed83cb29ffb3c14f6f25a04a47389bd35651607caaba7f34d14
Opcode Fuzzy Hash: 55f051845337419d7e9ac7d39ec191685543e7dbea6fe99633ae4b25728e3053
Instruction Fuzzy Hash: 6F31C265D8AE4395E718AB20F880274A7A1AF44B30FD44136C45E4A2B1EF3CA4ADCB31

Function 00007FF7155CE400 Relevance: 4.2, APIs: 3, Instructions: 425COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155CBDB0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF06
Part of subcall function 00007FF7155CBDB0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF33
Part of subcall function 00007FF7155CBDB0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF5A
Part of subcall function 00007FF7155CBDB0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF7D

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CE8E8

Part of subcall function 00007FF7155CD830: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CD8F1

Part of subcall function 00007FF7155CCE10: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CCF28

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CE8A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CE8C1

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: 59a0387699cb1b0d964e7d516f0eae01c374f4172e03abb4465c3dadea4d87e9
Instruction ID: 2c07cfa18178d33f7e9982c4d22575f8751a3260eeed2992b3a6c39cedb58f65
Opcode Fuzzy Hash: 59a0387699cb1b0d964e7d516f0eae01c374f4172e03abb4465c3dadea4d87e9
Instruction Fuzzy Hash: B012F132A18B948AE315CB35D4406BDB7B5FF5DB94F058326EE8863764EB38E490DB10

Function 00007FF7155D51B0 Relevance: 3.1, APIs: 2, Instructions: 633COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7155D53CB
memcpy.VCRUNTIME140 ref: 00007FF7155D53DF

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ea1388c74e66984c945f3f9971ad5354bba57aa87c4854771d0aa9719af39b35
Instruction ID: 7dfb71fa4995cb78338d4fdd750fca6b6baaf2c361ce78815650e03a4d098dcf
Opcode Fuzzy Hash: ea1388c74e66984c945f3f9971ad5354bba57aa87c4854771d0aa9719af39b35
Instruction Fuzzy Hash: A2623C7A604A8586DB24DF2AD9842EDB761FB88FD8F458222DF1D47B24CF38D568C710

Function 00007FF7155CCE10 Relevance: 2.7, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CCF28
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CD179

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 9d0378e7b2a02e11e3eca02ca2559b71e4b0c017e7fc479145402b5d9f615781
Instruction ID: e4537ab3cac8ddb6cd5958e432e8f1c90c6e613448cfeb01dcc383eff8057027
Opcode Fuzzy Hash: 9d0378e7b2a02e11e3eca02ca2559b71e4b0c017e7fc479145402b5d9f615781
Instruction Fuzzy Hash: 9D910536A28AC586DB16DB39D4003B9B365FF9AB94F44C331DA4963765EF38E049C720

Function 00007FF7155C147F Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

$, xrefs: 00007FF7155C1484

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 205051f0066b3948fca29594525a17c044d70534cadfb696e439e6e418c1dd5a
Instruction ID: 07624eddd99e70da4a49d8878aaa61b4e9aed17de645e710b1fd76a62a4b74fd
Opcode Fuzzy Hash: 205051f0066b3948fca29594525a17c044d70534cadfb696e439e6e418c1dd5a
Instruction Fuzzy Hash: 2412D336A14AC59BD35DDF3A85403E8F3A1FF59B44F488725DB2867561EB38B0A48B20

Function 00007FF7155D3460 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF7155D349E

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID: ..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-3803095028
Opcode ID: 1e6ed24ab7587fb96c5e110fd09a1198b3e47eadda47550eff7d9c83150384c8
Instruction ID: 81daa36931b95a2dfc494a2a03f81100e89b059d7b61dd88fcb66de80fff1157
Opcode Fuzzy Hash: 1e6ed24ab7587fb96c5e110fd09a1198b3e47eadda47550eff7d9c83150384c8
Instruction Fuzzy Hash: 2AD1F6237086C885D755CF2EC885A78BFD6E795F09B4EC165CE89C23A5EB39C44AC360

Function 00007FF7155D9930 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF7155D9993

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: d99f9b1fb5d4e2947c5d39a0b941b99de0b648b4baadbf2fdd02b290c588892c
Instruction ID: 838d0adda7d693af686d0629ef65841e3356d1a537ac77343893e0e769e6b7ce
Opcode Fuzzy Hash: d99f9b1fb5d4e2947c5d39a0b941b99de0b648b4baadbf2fdd02b290c588892c
Instruction Fuzzy Hash: B401393AB18F4086E784DF24E04935D33A6BB08BD4FD24139DAAC46620DF3A9969CB10

Function 00007FF7155CDF00 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7155CDF5A

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 3e5d203910a6dfde057ea1a8d139407b245ff7585745baf241c7a7f5706faccd
Instruction ID: cf0e0f75262ffeb5199e103e90f66ce5616a42a135d3578dcdb5926fa7dabcfb
Opcode Fuzzy Hash: 3e5d203910a6dfde057ea1a8d139407b245ff7585745baf241c7a7f5706faccd
Instruction Fuzzy Hash: 3861BDBB62C6E207D35A1B3C684123DAED5B749744F4C8234FE8AC3B55CA3CD9199660

Function 00007FF7155CDC50 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7155CDCBA

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79554b274a0616500ef4c04ae338a29712f23d0ed2d6ef241d6be6ad94eb8c20
Instruction ID: 7fc38f8e936456a6f235142318e6de3f9918a86cbe22bfd39361d21aaa39b20e
Opcode Fuzzy Hash: 79554b274a0616500ef4c04ae338a29712f23d0ed2d6ef241d6be6ad94eb8c20
Instruction Fuzzy Hash: 1A612AB3B2C6E186D3159B3CE404A79FEA9E75A714F498235DA8CC3A54DA3ED004C720

Function 00007FF7155D78A0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9011bd571142cde630bbb5e6c3abe43ed11479962ff33a482ffa28074c450404
Instruction ID: 288edb366178a4fb45d926f613aaa7a06877e2431cb91989306ea7803a05112e
Opcode Fuzzy Hash: 9011bd571142cde630bbb5e6c3abe43ed11479962ff33a482ffa28074c450404
Instruction Fuzzy Hash: E412E523D18FCD85E217DA3780422B9B750EF7E794F28DB22FE54365B2DB25B1958A00

Function 00007FF7155C2C80 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91a774d03b4e76c351b30cf1448e108b8dcf623b15ead0637e58923f472d50d
Instruction ID: 62e83ee39cae460fd9d94ab29b6abf2d34dfaf6adc3155f59dacacae722f42fe
Opcode Fuzzy Hash: f91a774d03b4e76c351b30cf1448e108b8dcf623b15ead0637e58923f472d50d
Instruction Fuzzy Hash: 16D10937C28E8D85E256B63740421B4F3959F3EBA1F5DDB32E94C320B2DB2871999630

Function 00007FF7155C5150 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fde4c06d977b6af1549338ea54f8103d5744a9262b2a5d7f63ce0b3d69dd8fa
Instruction ID: 3755114ecad153b927dffd31cc0efdbf9703157216d4e7b853c87100402898a5
Opcode Fuzzy Hash: 9fde4c06d977b6af1549338ea54f8103d5744a9262b2a5d7f63ce0b3d69dd8fa
Instruction Fuzzy Hash: E2A17B76C2AB4A45E75FA5B3504177CE6456F2AF98F98CB32DD0D324F1EB28709C4620

Function 00007FF7155CAC30 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aef9115cd358d0afb3f68852fb0da289cac0ca5fabd8346fb89b5733c9eb2b0
Instruction ID: 2d92f3a1a2ee3d367c5ee0cd7c9b5b4f8513904da82d09a5980ea5d57bf95f1a
Opcode Fuzzy Hash: 0aef9115cd358d0afb3f68852fb0da289cac0ca5fabd8346fb89b5733c9eb2b0
Instruction Fuzzy Hash: 6CA11633A18AC88AE301DF3AD0411BDB7B0FB58759F558225EF8923675DB38B589DB10

Function 00007FF7155C8690 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3559cf259b55d21c8b349bfb0ed6358f7cb0f05fdab1c56cea628709367ec4c2
Instruction ID: dd9443a718382ec015c714643d4ead8a543c6ff5a389f551f9cc600a86facf10
Opcode Fuzzy Hash: 3559cf259b55d21c8b349bfb0ed6358f7cb0f05fdab1c56cea628709367ec4c2
Instruction Fuzzy Hash: 7251D8AAA344B147DE549F2AD8815BC76D1E386B53FD48476D65882FA1C22EC10DDF30

Function 00007FF7155B7245 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9163c28c7e41d9de57337ba7f208092a3a89567fee3f0caecd6913ec5a24e9
Instruction ID: 04dceeae39117275a034b8758ae14327ecb02d691051ef597caf0fe82216d430
Opcode Fuzzy Hash: 6f9163c28c7e41d9de57337ba7f208092a3a89567fee3f0caecd6913ec5a24e9
Instruction Fuzzy Hash: 394127A6B14B4947DF0CCB6DA4262B8A6A9D799BD4F848432DA4E477E1DE2CE205C200

Function 00007FF7155D3F20 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2aaafbd25cd13b6e1f9b35cc9b40f7938a55a5b7433b574255b6fd89e927077
Instruction ID: 42726f991772ca1971b283fecb79a67d5ab875eaf0b22f3cfef5f1baa36e0197
Opcode Fuzzy Hash: d2aaafbd25cd13b6e1f9b35cc9b40f7938a55a5b7433b574255b6fd89e927077
Instruction Fuzzy Hash: E0411C27A0DB49C1E525A52351441B9E663AFAAFD0F9CC732ED6C277A4DB7CF0885600

Function 00007FF7155B9B90 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ffe59d268ac686122308c62f40fe9c12d5805ff9e128e1360453c2f1954c5f
Instruction ID: 12fc63ed00688d03966bb25bbac8c53380b476d26b188acc655473071b164899
Opcode Fuzzy Hash: d0ffe59d268ac686122308c62f40fe9c12d5805ff9e128e1360453c2f1954c5f
Instruction Fuzzy Hash: F4312737738E5647EB4C8634E926B786AE2F345740FC9A539EE4AC66C2DB2CD414C310

Function 00007FF7155B696A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 62605c598576aef86bb619f29d2fb551c9466e11c5832594cf952a9f2882699e
Instruction ID: 42801394fe7bcb76befa096b2a8421edfde5aca31d2e2caaff1a072bd9078c91
Opcode Fuzzy Hash: 62605c598576aef86bb619f29d2fb551c9466e11c5832594cf952a9f2882699e
Instruction Fuzzy Hash: 4C11C29472574D4BFE94B75AA9292E6D252DB48FD0B4C7032CF0D8B76AEA1CE2018350

Function 00007FF7155B5CD7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 4c693e3ca04d3f432d60e074b487dffc5f1757b5b730d138431a185616c0d3d9
Instruction ID: fe1a2dc0b672edd80fb23d9456362f6d48c27dc45db1e8fc3a2b9da53e8d2c67
Opcode Fuzzy Hash: 4c693e3ca04d3f432d60e074b487dffc5f1757b5b730d138431a185616c0d3d9
Instruction Fuzzy Hash: F4118B1472670E0BFE84EB5BA4252A6D252EB88BD0A4C3036CF4E4B795EE2CE254C310

Function 00007FF7155B585C Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 29a2a04d7093babeafb4ebb6dcec55dfb8a248905fc0f5f263e870319ae44d93
Instruction ID: 411d7a13e92b67bc2d57048d1924d608be45f87796fb45a863804892101f1d63
Opcode Fuzzy Hash: 29a2a04d7093babeafb4ebb6dcec55dfb8a248905fc0f5f263e870319ae44d93
Instruction Fuzzy Hash: 9E015A4472671E0BEE88BA2B64362A6D2469B88FD0B5C703ACF4E4B791EE2CD141C310

Function 00007FF7155B650B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 1fc07cafffd7efdf5df8025b1480e7de11e1acee288810e102436a8496ef3ec2
Instruction ID: c50f58a2c6beef760952b2ccb0880c63ab727e91c17f0da3fd51327fe008e8f2
Opcode Fuzzy Hash: 1fc07cafffd7efdf5df8025b1480e7de11e1acee288810e102436a8496ef3ec2
Instruction Fuzzy Hash: B101809472564D47FD8CE72A983A2369203A74CFC0B40B03BDE8E8B359DD2CE105C310

Function 00007FF7155B57A5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 4fd6e8a155a838319057d8e45aa4d943befe4e16bb66ec6b5d8daa1d77b11433
Instruction ID: 23363183523317f443a41da80fa29fbecdc701f86cbd05a7d11a3ccae4364e75
Opcode Fuzzy Hash: 4fd6e8a155a838319057d8e45aa4d943befe4e16bb66ec6b5d8daa1d77b11433
Instruction Fuzzy Hash: 6801D28570975843FE98F6A6A8311B7A612DB8CFD0B847032CF0E5BF5ADE1CD206C250

Function 00007FF7155B66E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: d6a845ae21399a0a1e998132fb6c690883b8ac1f85b94a2ff59dd2db94b41b88
Instruction ID: 6db2fd931c6ac500be51782592a29511fd591394197074893fa22e1380e64884
Opcode Fuzzy Hash: d6a845ae21399a0a1e998132fb6c690883b8ac1f85b94a2ff59dd2db94b41b88
Instruction Fuzzy Hash: 4F01A158714A4946EE88FA175436176D242AB88FD0B887037DE4E47BA5DD2CE104C310

Function 00007FF7155B6124 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 8ad0e72bb74499bc48361be9328125688ae2867693181a642736b184a502b303
Instruction ID: d5707d0ef5ed179693cf5dbf411c9df3f42446bdf972c44f940bde0d76f312e0
Opcode Fuzzy Hash: 8ad0e72bb74499bc48361be9328125688ae2867693181a642736b184a502b303
Instruction Fuzzy Hash: FB01929971570A07FD88E65B5835376D293AB8CFD0F48B036DE4E4F759DD2CE1018210

Function 00007FF7155B65BC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 5f9134c652ff3cd74a6d24e8e2477f3d5bdc7e5dfd38898e940047b9440e2627
Instruction ID: 94b1aa49add5718cb34e926e7475695065097d926781fe82788b15f86d3d1a1c
Opcode Fuzzy Hash: 5f9134c652ff3cd74a6d24e8e2477f3d5bdc7e5dfd38898e940047b9440e2627
Instruction Fuzzy Hash: C701D418B2574E4BEE48EB67A4211A5D261AB89FD0B8C3033DF4E47765DE2CE1058310

Function 00007FF7155B6D5E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: e51d829709baa367232d561226ca047d48346dcab32a10564c37a8f46f8db4ed
Instruction ID: 3c170671d208e124c21651454b32d4c04080873aaae903c813462faba53fd7d7
Opcode Fuzzy Hash: e51d829709baa367232d561226ca047d48346dcab32a10564c37a8f46f8db4ed
Instruction Fuzzy Hash: 8E01B115B0881442FE08E7A6B8360B5E216AB8CF90B887032EE0F87B95CE1CD645C744

Function 00007FF7155B6E05 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7a8f4e2c4ac60da26ae19f9b9f2302483b6f3b7689048352e6841a58f69b62cd
Instruction ID: 7d71c57b8b771f1316e5bcf946c70fbcd6d5e6127ed17ea65f17d8032815c1a2
Opcode Fuzzy Hash: 7a8f4e2c4ac60da26ae19f9b9f2302483b6f3b7689048352e6841a58f69b62cd
Instruction Fuzzy Hash: A601D61472560E4BEE9CFB6AA4352B693519B48FD0B5C3037DE4E47396DE2CE244C310

Function 00007FF7155B61DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: df00c9a0010770d2f121cbc5e0522742c3dce75b20311e2a2a4bf3b76a269271
Instruction ID: 6d5c9185abd73120eeb04427e88d5d4a82762d51f5845db1d11edba45cd2623c
Opcode Fuzzy Hash: df00c9a0010770d2f121cbc5e0522742c3dce75b20311e2a2a4bf3b76a269271
Instruction Fuzzy Hash: 30018F18B1951503FE88E7A76432176E212BBCCFC0B887037EE4E57B55CD6CE502C210

Function 00007FF7155B62F1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7e8405c8f6ceda93b0ac242c38a26ac18f079162abb1355dac40cccdc6752647
Instruction ID: fd44eb4c3ee5bc1d61f0cd5a6a08aae5142fc8fb258c944d78bb4dd3aa85e1de
Opcode Fuzzy Hash: 7e8405c8f6ceda93b0ac242c38a26ac18f079162abb1355dac40cccdc6752647
Instruction Fuzzy Hash: 9501DB9572554943FE4CF7269825226D613B78CFD0F44A033DD4E4B7A9DD2CE105C310

Function 00007FF7155B709B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: a336093dbe45dd36b0b0928b26fbed1b0f5448e955a0d63f06a136650774b1de
Instruction ID: 2238f9ff48b1055705ac9d822e26ad55dca66db70a883fbea97a49d3157583ae
Opcode Fuzzy Hash: a336093dbe45dd36b0b0928b26fbed1b0f5448e955a0d63f06a136650774b1de
Instruction Fuzzy Hash: 4801D155B1990546FE48EB8AB4761A6D222AF88FD0F8C7036DF0E4B7E9CE1CD111C720

Function 00007FF7155B6A3F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7510da3d8d73d4f5a775c75310f625e6070a33f984a63c581dc140fc9721fff6
Instruction ID: e3b2ea05f76eefbe79f7216692b6450b15fa968976e20240ebade0214f1ff6e3
Opcode Fuzzy Hash: 7510da3d8d73d4f5a775c75310f625e6070a33f984a63c581dc140fc9721fff6
Instruction Fuzzy Hash: 9CF0F60072E60A46ED8CF76BB83A27652819BC8FD0F58343BDE0F43792DE2CE1408224

Function 00007FF7155B5F95 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: b404ea848cb3f30f47cb64cca5bd17c6ec4ca0bd62c8fe8c5867cbd788f72080
Instruction ID: 1b0df1e68ae6627df2e7375951e69ffc03379cb24cde14ee9941180088de1640
Opcode Fuzzy Hash: b404ea848cb3f30f47cb64cca5bd17c6ec4ca0bd62c8fe8c5867cbd788f72080
Instruction Fuzzy Hash: A7F06919B5895142FE48E796B8311BAE211AFC8FD4F882033EF4E87BA5DE1CD5068260

Function 00007FF7155F2AD0 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 251registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155D8B10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8C65

Part of subcall function 00007FF7155DEA10: memcpy.VCRUNTIME140 ref: 00007FF7155DEB0E
Part of subcall function 00007FF7155DEA10: memcpy.VCRUNTIME140 ref: 00007FF7155DEB1E

RegCreateKeyW.ADVAPI32 ref: 00007FF7155F2BB0
RegSetKeyValueW.ADVAPI32 ref: 00007FF7155F2BF5
RegCloseKey.ADVAPI32 ref: 00007FF7155F2C03

Part of subcall function 00007FF7155D8690: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7155DCF5C,?,?,?,00007FF7155A10DD), ref: 00007FF7155D869B

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155F2C26
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F2C71
RegSetKeyValueW.ADVAPI32 ref: 00007FF7155F2C9B
RegCloseKey.ADVAPI32 ref: 00007FF7155F2CA9
RegCloseKey.ADVAPI32 ref: 00007FF7155F2CBB
GetModuleHandleA.KERNEL32 ref: 00007FF7155F2CC8
GetProcAddress.KERNEL32 ref: 00007FF7155F2CE4
GetProcAddress.KERNEL32 ref: 00007FF7155F2CF7
RtlInitUnicodeString.NTDLL ref: 00007FF7155F2D74
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7155F2D9F
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF7155F2DAA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155F2DBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F2E08
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F2E77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F2ECB

Strings

\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF7155F2D51
\??\, xrefs: 00007FF7155F2B86
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF7155F2C09
ImagePath, xrefs: 00007FF7155F2BE8
[-] Can't create 'Type' registry value, xrefs: 00007FF7155F2CAF
[+] NtLoadDriver Status 0x, xrefs: 00007FF7155F2D82
4, xrefs: 00007FF7155F2D48
ntdll.dll, xrefs: 00007FF7155F2CC1
Type, xrefs: 00007FF7155F2C92
NtLoadDriver, xrefs: 00007FF7155F2CED
RtlAdjustPrivilege, xrefs: 00007FF7155F2CDA
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF7155F2B44
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF7155F2D13
[-] Can't create service key, xrefs: 00007FF7155F2BBD

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$Close$AddressProcV01@@Valuememcpy$CreateHandleInitModuleStringUnicodeV21@@Vios_base@1@Xlength_error@std@@
String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 35767437-3793529226
Opcode ID: e4efff5a69e582d205fa4bc2efda3acb29633b8c30f206bbcbd7fa9fb4e437b3
Instruction ID: bdbdf91c1acebf8d0284ec5828046ea023d2c3e30de9416829a224b7f02349f7
Opcode Fuzzy Hash: e4efff5a69e582d205fa4bc2efda3acb29633b8c30f206bbcbd7fa9fb4e437b3
Instruction Fuzzy Hash: AEC16265B18E4299EB08EB65E8443AC7362EB44FA8F800532DA5D576B8DF3CE14DC364

Function 00007FF7155F2F10 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 178registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7155F2F44
RtlInitUnicodeString.NTDLL ref: 00007FF7155F2FB7
RegOpenKeyW.ADVAPI32 ref: 00007FF7155F3015
RegCloseKey.ADVAPI32 ref: 00007FF7155F302E
GetProcAddress.KERNEL32 ref: 00007FF7155F303E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7155F3069
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF7155F3074
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155F3084
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155F30AB
RegDeleteKeyW.ADVAPI32 ref: 00007FF7155F30C6
RegDeleteKeyW.ADVAPI32 ref: 00007FF7155F30E5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F312C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155F3181

Strings

\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF7155F2F94
NtUnloadDriver, xrefs: 00007FF7155F3034
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF7155F2FEB
", xrefs: 00007FF7155F2FE2
ntdll.dll, xrefs: 00007FF7155F2F3D
[+] NtUnloadDriver Status 0x, xrefs: 00007FF7155F304C
[-] Driver Unload Failed!!, xrefs: 00007FF7155F308E

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$DeleteV01@@_invalid_parameter_noinfo_noreturn$AddressCloseHandleInitModuleOpenProcStringUnicodeV21@@Vios_base@1@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 961365364-3977549460
Opcode ID: ab1cd6c9b0304d427623f6497cebcb31fd037d57e34f17b9f4b9726e3526279f
Instruction ID: a261a1c70f5c5f852732de88d7b155e907bde671894eb346aac3efade257d164
Opcode Fuzzy Hash: ab1cd6c9b0304d427623f6497cebcb31fd037d57e34f17b9f4b9726e3526279f
Instruction Fuzzy Hash: E7714165B08E4299EF08AF65D4843ACA366FB44FA4F800536DA5D436B9DF3CE14DC320

Function 00007FF7155D9C20 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D9CF0
_Init_thread_footer.LIBCMT ref: 00007FF7155D9D04
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D9D30
GetModuleHandleA.KERNEL32 ref: 00007FF7155DD44C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DD474

Part of subcall function 00007FF7155FA838: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70A0), ref: 00007FF7155FA848

Part of subcall function 00007FF7155DCE00: memmove.VCRUNTIME140(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCE31

Part of subcall function 00007FF7155D9D60: memset.VCRUNTIME140 ref: 00007FF7155D9DBA
Part of subcall function 00007FF7155D9D60: VirtualAlloc.KERNEL32 ref: 00007FF7155D9E59
Part of subcall function 00007FF7155D9D60: VirtualFree.KERNEL32 ref: 00007FF7155D9E90

Strings

ExFreePool, xrefs: 00007FF7155D9C8F
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF7155DD5EC
[!] Failed to find ExAllocatePool, xrefs: 00007FF7155D9D13
NtAddAtom, xrefs: 00007FF7155DD49D, 00007FF7155DD520
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF7155DD5A2
[-] Failed to load ntdll.dll, xrefs: 00007FF7155DD457
ntdll.dll, xrefs: 00007FF7155DD445
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF7155DD4B5

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocCriticalEnterFreeHandleInit_thread_footerModuleSection_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExFreePool$NtAddAtom$[!] Failed to find ExAllocatePool$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 1491483727-3600435281
Opcode ID: d315c5872a8abf413d78aba5c6563015a91a77f922521f758fc1616381881c19
Instruction ID: b8292b654374bf2b6dbf5d4878033da3f36d0a991075b8bd948c7e99636f1fd2
Opcode Fuzzy Hash: d315c5872a8abf413d78aba5c6563015a91a77f922521f758fc1616381881c19
Instruction Fuzzy Hash: 5A91506AE19E4284FB18FB55E8402B8A7B2BB44FB4FC04132D96D476B5DF6CE458C720

Function 00007FF7155DA545 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DA610
_Init_thread_footer.LIBCMT ref: 00007FF7155DA624
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DA650
GetModuleHandleA.KERNEL32 ref: 00007FF7155DD8AC
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DD8D4

Part of subcall function 00007FF7155FA838: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70A0), ref: 00007FF7155FA848

Part of subcall function 00007FF7155DCE00: memmove.VCRUNTIME140(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCE31

Part of subcall function 00007FF7155D9D60: memset.VCRUNTIME140 ref: 00007FF7155D9DBA
Part of subcall function 00007FF7155D9D60: VirtualAlloc.KERNEL32 ref: 00007FF7155D9E59
Part of subcall function 00007FF7155D9D60: VirtualFree.KERNEL32 ref: 00007FF7155D9E90

Strings

[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF7155DDA4C
ExReleaseResourceLite, xrefs: 00007FF7155DA5AF
NtAddAtom, xrefs: 00007FF7155DD8FD, 00007FF7155DD980
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF7155DDA02
[-] Failed to load ntdll.dll, xrefs: 00007FF7155DD8B7
ntdll.dll, xrefs: 00007FF7155DD8A5
[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF7155DA633
[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF7155DD915

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocCriticalEnterFreeHandleInit_thread_footerModuleSection_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExReleaseResourceLite$NtAddAtom$[!] Failed to find ExReleaseResourceLite$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 1491483727-1591343369
Opcode ID: 997bffca976087f8f9a88c089ea7e3169d234958dae82f2fe39d78db2f993b4d
Instruction ID: 5bed9da7e7d544c845f157ac32127bdd268541b8615591d3a0fa0ceb9a246688
Opcode Fuzzy Hash: 997bffca976087f8f9a88c089ea7e3169d234958dae82f2fe39d78db2f993b4d
Instruction Fuzzy Hash: 94918366E09E4284FB08FB65E8402B8A762AF44FB4FC04132D96E577B5DF6CE548C720

Function 00007FF7155D9540 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D9590
CloseHandle.KERNEL32 ref: 00007FF7155D95A3

Part of subcall function 00007FF7155D8CA0: memset.VCRUNTIME140 ref: 00007FF7155D8CE2
Part of subcall function 00007FF7155D8CA0: GetTempPathW.KERNEL32 ref: 00007FF7155D8CF0
Part of subcall function 00007FF7155D8CA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D8E24

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D95FA
memset.VCRUNTIME140 ref: 00007FF7155D9629

Part of subcall function 00007FF7155DC670: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7155DC6A3
Part of subcall function 00007FF7155DC670: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7155DC6C2
Part of subcall function 00007FF7155DC670: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7155DC6F4
Part of subcall function 00007FF7155DC670: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7155DC710
Part of subcall function 00007FF7155DC670: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7155DC754

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7155D964A
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7155D9693
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF7155D96D1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D970A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7155D9737
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7155D9756
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7155D9797
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7155D97A1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155D97E1

Strings

[+] Vul driver data destroyed before unlink, xrefs: 00007FF7155D96F4
[!] Error dumping shit inside the disk, xrefs: 00007FF7155D96EB
[<] Unloading vulnerable driver, xrefs: 00007FF7155D9573

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_V01@W@std@@@std@@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_?setstate@?$basic_ios@V01@@memsetrand$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@?write@?$basic_ostream@CloseD@std@@@1@_HandleInit@?$basic_streambuf@Osfx@?$basic_ostream@_PathTempV12@V?$basic_streambuf@_wremove
String ID: [!] Error dumping shit inside the disk$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 3605567200-4078119036
Opcode ID: 2fe270e579b09fb7ed7bba6b1feb378e5a30db7f11cab23d1c63767294567823
Instruction ID: 655099c9f78b8c58f64eaa0df1c2bee8cbbfb48f77a1ead8a4f04808d512e8aa
Opcode Fuzzy Hash: 2fe270e579b09fb7ed7bba6b1feb378e5a30db7f11cab23d1c63767294567823
Instruction Fuzzy Hash: FD71C666B18E4285EF08EB25E4542BDA363FB85FB4F804136DA6D47AB9DF2CD049C710

Function 00007FF7155D99D0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF7155D9A53
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7155D9A76
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D9A86
DeviceIoControl.KERNEL32 ref: 00007FF7155D9AF6
DeviceIoControl.KERNEL32 ref: 00007FF7155D9B77
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7155D9B9A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D9BAA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7155D9BF6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155D9C06

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

Strings

[!] Failed to unmap IO space of physical address 0x, xrefs: 00007FF7155D9B88
[-] Failed to translate virtual address 0x, xrefs: 00007FF7155D9A64
[-] Failed to map IO space of 0x, xrefs: 00007FF7155D9BE4

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$ControlDeviceV01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@_
String ID: [!] Failed to unmap IO space of physical address 0x$[-] Failed to map IO space of 0x$[-] Failed to translate virtual address 0x
API String ID: 105665925-3202290428
Opcode ID: ac77adfc59caeadc746ec213f65bed0d4ed8d64711caf712b776bff93598cf71
Instruction ID: 120d2de3f3926092a8203918ea7492fbad259e592f90399893e0dc9f08b7f8eb
Opcode Fuzzy Hash: ac77adfc59caeadc746ec213f65bed0d4ed8d64711caf712b776bff93598cf71
Instruction Fuzzy Hash: 38516D76A18F8189E714AF61E4443A9B3B6FB48F98F804536DA8D17B68DF3CD118C364

Function 00007FF7155B77C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B782C
LoadLibraryA.KERNEL32 ref: 00007FF7155B7844
InitOnceComplete.KERNEL32 ref: 00007FF7155B7856
LoadLibraryA.KERNEL32 ref: 00007FF7155B7867
GetProcAddress.KERNEL32 ref: 00007FF7155B7877
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B789D
__std_exception_copy.VCRUNTIME140 ref: 00007FF7155B78D4

Strings

user32.dll, xrefs: 00007FF7155B783D
win32u.dll, xrefs: 00007FF7155B7860
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B7870

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProc__std_exception_copyabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 3611760927-2075034528
Opcode ID: 68c0ad8eca54f24009388a16de90c6ddd6b821698b0ad1d92dfb723cf04d5a86
Instruction ID: 419330327ab48a38b533112d7ae7bbea08585a68a217ec0a91bf3c4951c3336c
Opcode Fuzzy Hash: 68c0ad8eca54f24009388a16de90c6ddd6b821698b0ad1d92dfb723cf04d5a86
Instruction Fuzzy Hash: A8314D36A19F0186FB54EF25E84836973A6BB48F60F854036DA5D86770EF3CE598C720

Function 00007FF7155B7F30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B7FC2
LoadLibraryA.KERNEL32 ref: 00007FF7155B7FD9
InitOnceComplete.KERNEL32 ref: 00007FF7155B7FEB
LoadLibraryA.KERNEL32 ref: 00007FF7155B7FFC
GetProcAddress.KERNEL32 ref: 00007FF7155B800C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B804B

Strings

user32.dll, xrefs: 00007FF7155B7FD2
win32u.dll, xrefs: 00007FF7155B7FF5
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B8005

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 1e3ac0fb5997864f617607ab36ab847c9ec5407adfb6e88af6587da71d772230
Instruction ID: f031c649c5351b1282061d37bf166b45e72f104f65dd43db60ca285a6685cd76
Opcode Fuzzy Hash: 1e3ac0fb5997864f617607ab36ab847c9ec5407adfb6e88af6587da71d772230
Instruction Fuzzy Hash: BE416D36A04E01CEF754DF74E8503ED73B2EB48B58F845536DA0D52A28DF38A268C320

Function 00007FF7155B7AD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B7B50
LoadLibraryA.KERNEL32 ref: 00007FF7155B7B68
InitOnceComplete.KERNEL32 ref: 00007FF7155B7B7A
LoadLibraryA.KERNEL32 ref: 00007FF7155B7B8B
GetProcAddress.KERNEL32 ref: 00007FF7155B7B9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B7BC1

Strings

user32.dll, xrefs: 00007FF7155B7B61
win32u.dll, xrefs: 00007FF7155B7B84
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B7B94

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: d5a916352ce7cb8c6c84a8256dedb136ce243fa39cf8a234efdd3afc70f9e80d
Instruction ID: c947c39dfd035d95f562a275648159b54b761cefae0a374ec311a395778785c8
Opcode Fuzzy Hash: d5a916352ce7cb8c6c84a8256dedb136ce243fa39cf8a234efdd3afc70f9e80d
Instruction Fuzzy Hash: 3D311E79A18E0186FB48EB25E85836973A2FB84F60FC54036C65D46770EF3CD559CB20

Function 00007FF7155B7490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B750E
LoadLibraryA.KERNEL32 ref: 00007FF7155B752D
InitOnceComplete.KERNEL32 ref: 00007FF7155B753F
LoadLibraryA.KERNEL32 ref: 00007FF7155B7554
GetProcAddress.KERNEL32 ref: 00007FF7155B7564
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B75D6

Strings

user32.dll, xrefs: 00007FF7155B7526
win32u.dll, xrefs: 00007FF7155B754D
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B755D

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 1014e5866cf53d62de73f16328be5b6e52e63ab505fe26a94db0acde3b228d26
Instruction ID: 20bafe900b9d4122420817c3321a761b8168f55fcdd1969f8e4aad1bb76b6986
Opcode Fuzzy Hash: 1014e5866cf53d62de73f16328be5b6e52e63ab505fe26a94db0acde3b228d26
Instruction Fuzzy Hash: DC316F36618E0186F758EB25E85476AB3A2FB88B64FC18136C64D87774DF3CE649CB10

Function 00007FF7155B76D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B773B
LoadLibraryA.KERNEL32 ref: 00007FF7155B7753
InitOnceComplete.KERNEL32 ref: 00007FF7155B7765
LoadLibraryA.KERNEL32 ref: 00007FF7155B7776
GetProcAddress.KERNEL32 ref: 00007FF7155B7786
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B77AD

Strings

user32.dll, xrefs: 00007FF7155B774C
win32u.dll, xrefs: 00007FF7155B776F
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B777F

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 4a6d971e0c6d4fc0afe1107218f48c08d750f701fd81c5f2d4fc75ba6f57087e
Instruction ID: da048109b74ebe5de6182f6ea75561b61609c741c1bbaea2c2dde7ed85ae877c
Opcode Fuzzy Hash: 4a6d971e0c6d4fc0afe1107218f48c08d750f701fd81c5f2d4fc75ba6f57087e
Instruction Fuzzy Hash: 63213D3AA18E0186F794EB25E84836973E6BF84F50FC14036D69D82674EF3CD549DB20

Function 00007FF7155B75E0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF7155B764D
LoadLibraryA.KERNEL32 ref: 00007FF7155B7665
InitOnceComplete.KERNEL32 ref: 00007FF7155B7677
LoadLibraryA.KERNEL32 ref: 00007FF7155B7688
GetProcAddress.KERNEL32 ref: 00007FF7155B7698
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155B76C2

Strings

user32.dll, xrefs: 00007FF7155B765E
win32u.dll, xrefs: 00007FF7155B7681
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF7155B7691

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 975f7dfe4b6231862f22f558be773e794d79dc79bda7a6ec454155d447f6e363
Instruction ID: 66adcda516a90cbd1d5066a76d4e0822be89c966fa015190bdac71ec87010067
Opcode Fuzzy Hash: 975f7dfe4b6231862f22f558be773e794d79dc79bda7a6ec454155d447f6e363
Instruction Fuzzy Hash: 3421193AA18E0185E794EB24E85836973A6BB48B50FC14136C59D86770EF3DD51CCB20

Function 00007FF7155F0AF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7155EF2DE), ref: 00007FF7155F0AFB
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7155F0B62
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7155F0B83
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7155F0C07
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7155F0C8F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7155F0CD5

Strings

vector too long, xrefs: 00007FF7155F0AF4

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@Xlength_error@std@@
String ID: vector too long
API String ID: 4055594487-2873823879
Opcode ID: 454fe8c0da5c2bbe3c13f0c80925004383b1bb712c9039e0c87e3580f196a21a
Instruction ID: f2e681e3c9d9db6aedf1bafc2c4f273b74da9455475a12acfa4cf8bf5522e089
Opcode Fuzzy Hash: 454fe8c0da5c2bbe3c13f0c80925004383b1bb712c9039e0c87e3580f196a21a
Instruction Fuzzy Hash: A0515026609E4185EB18EF1AE490229FBA1FB94FA5F998532CE5E43774CF3CD449C710

Function 00007FF7155DAE30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DAE73

Part of subcall function 00007FF7155D9890: DeviceIoControl.KERNEL32 ref: 00007FF7155D98F8

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DAED4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DAF68

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

Strings

[-] Read failed in FindPatternAtKernel, xrefs: 00007FF7155DAEBE
[-] No module address to find pattern, xrefs: 00007FF7155DAE56
[-] Can't find pattern, Too big section, xrefs: 00007FF7155DAE89
[-] Can't find pattern, xrefs: 00007FF7155DAF52

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@_
String ID: [-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 2892813601-521562947
Opcode ID: bf113081b3acb7d439f2d99228bd4696a6f3cb8cf949f827f6edaea4873ebb21
Instruction ID: 603bdd30df0276cd9ece2c0b41d0fd78b4517d4038bf2cca0ac16098e4250351
Opcode Fuzzy Hash: bf113081b3acb7d439f2d99228bd4696a6f3cb8cf949f827f6edaea4873ebb21
Instruction Fuzzy Hash: BC4194AAA08E8384EA58BB15E444175E363EF45FA4FC44172D96D077F5DF6CE5098320

Function 00007FF7155D9D60 Relevance: 12.2, APIs: 8, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7155D9DBA

Part of subcall function 00007FF7155D9890: DeviceIoControl.KERNEL32 ref: 00007FF7155D98F8

VirtualAlloc.KERNEL32 ref: 00007FF7155D9E59
VirtualFree.KERNEL32 ref: 00007FF7155D9E90
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7155D9F36
VirtualFree.KERNEL32 ref: 00007FF7155D9F9C
VirtualFree.KERNEL32 ref: 00007FF7155DA01B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DA057
VirtualFree.KERNEL32 ref: 00007FF7155DA069

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocControlDevice_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID:
API String ID: 2498276250-0
Opcode ID: a10de50e679e829c9ee2acb43f513540187f728090bb990c0b275dabba21a589
Instruction ID: ddde1c4b7951c70ea55b5bf15b8807433f2d585eabbfb2c0ba98b3d40720489c
Opcode Fuzzy Hash: a10de50e679e829c9ee2acb43f513540187f728090bb990c0b275dabba21a589
Instruction Fuzzy Hash: 7781B536B08E4186EB64EB15E44436AA3A3FB85FE4F804235DA6D47BA4DF7CE085C710

Function 00007FF7155CF100 Relevance: 11.4, APIs: 9, Instructions: 139COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF138
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF167
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF196
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF1D1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF200
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF235
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CF2BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CF2F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CF353

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 37e62c114384863a804dccdd4e678d0ed932c1658c43c64b259ba3e815c23cc7
Instruction ID: bcac9f058cea55b79412a23c3448c2f14ae1b31f5b43616163201c821dc27ce9
Opcode Fuzzy Hash: 37e62c114384863a804dccdd4e678d0ed932c1658c43c64b259ba3e815c23cc7
Instruction Fuzzy Hash: 1161153A615B8581EB08AF15E440229B7B6FF44FA4F884536CE9D07765CF78E4A4C770

Function 00007FF7155C6960 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C69B5
memcpy.VCRUNTIME140 ref: 00007FF7155C69CA
memchr.VCRUNTIME140 ref: 00007FF7155C6A65
memchr.VCRUNTIME140 ref: 00007FF7155C6A81
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C6B75

Strings

Window, xrefs: 00007FF7155C6A9A
], xrefs: 00007FF7155C6A42

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: 9b7cfd953141a3984d28025ca92b8b9308b4586d30f738cdda45a275b379e7be
Instruction ID: 9d4de4a529717efc713484c5940f68a1a078530e4d0e2273deaee4b6936e8797
Opcode Fuzzy Hash: 9b7cfd953141a3984d28025ca92b8b9308b4586d30f738cdda45a275b379e7be
Instruction Fuzzy Hash: 2951E729B18E8581EB18AA1A9504279E797BB45FE4FD84131DE4D077A5CF2CF649C330

Function 00007FF7155DE800 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7155DE894
memmove.VCRUNTIME140 ref: 00007FF7155DE8DF
memcpy.VCRUNTIME140 ref: 00007FF7155DE8F7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DE992

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

memcpy.VCRUNTIME140 ref: 00007FF7155DE9C8
memcpy.VCRUNTIME140 ref: 00007FF7155DE9E6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DEA09

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3070920775-0
Opcode ID: 08c9021ee16a8d382db989f6fc6bdab2c19adcfa1f5d4f79bdf047ae850cf362
Instruction ID: 7be6c5dbf5504ad583e7f280446a4b448cbca76d6decf98a16f3ce652010b8df
Opcode Fuzzy Hash: 08c9021ee16a8d382db989f6fc6bdab2c19adcfa1f5d4f79bdf047ae850cf362
Instruction Fuzzy Hash: E551A037A05F8585EA28AB25E548269B362FB04FB4F944635DB7D027E1DF3CE188C350

Function 00007FF7155DEB50 Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7155DEBDD
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7155DEC3A
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7155DEC66
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 00007FF7155DECA2
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7155DECD6
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7155DECDD
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7155DECEA

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: 3d704473430821f9a3ec2b2ee9af85f6c16cfbdacd8f7545f0bf96252848740b
Instruction ID: b9be054bc1f1b98218b6bc8423be88c900384179518422892cf17267615f4ff0
Opcode Fuzzy Hash: 3d704473430821f9a3ec2b2ee9af85f6c16cfbdacd8f7545f0bf96252848740b
Instruction Fuzzy Hash: 13515F3B608E41C5EA249B5AE584239F762EB84F95F558436CE5E03774CF3DE48A9310

Function 00007FF7155DCFB0 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD04C
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0A9
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0CC
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0ED
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: 078c75e69d0945888bfdcc133536ab650d3f8e4cdefdd6ce5e9a3586192cc556
Instruction ID: ba434be66b713608660eb58006b657bc83e0d53f0626abdbbf2cf2d3e4added8
Opcode Fuzzy Hash: 078c75e69d0945888bfdcc133536ab650d3f8e4cdefdd6ce5e9a3586192cc556
Instruction Fuzzy Hash: A851B52B608E4181EB249F1AE584239E762FB84FA5F918136CE5E037B0DF3DE44AC310

Function 00007FF7155DAFB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155D9890: DeviceIoControl.KERNEL32 ref: 00007FF7155D98F8

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DB025

Part of subcall function 00007FF7155DCFB0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD04C
Part of subcall function 00007FF7155DCFB0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0A9
Part of subcall function 00007FF7155DCFB0: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0CC
Part of subcall function 00007FF7155DCFB0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD0ED

memcmp.VCRUNTIME140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DB0B0

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF7155DA8B0), ref: 00007FF7155DB11C

Strings

[-] Can't find section, xrefs: 00007FF7155DB106
[-] Can't read module headers, xrefs: 00007FF7155DB00F
PAGE, xrefs: 00007FF7155DB03B, 00007FF7155DB0D5

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_?sputc@?$basic_streambuf@_V01@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@_V12@memcmp
String ID: PAGE$[-] Can't find section$[-] Can't read module headers
API String ID: 3692731308-1129567509
Opcode ID: 06a360e84e2875c55986e81abe2b577e948746fa8a0c054d441f450b1ed65207
Instruction ID: 974a6898dc9f0bb1e464437d10909ac447a2e25685badfcd4684ad93107123c8
Opcode Fuzzy Hash: 06a360e84e2875c55986e81abe2b577e948746fa8a0c054d441f450b1ed65207
Instruction Fuzzy Hash: 82416536A08EC681EB64AF15E4401B6A3A3EB45FB4F844135DEAD437A9DF7CE449C710

Function 00007FF7155DE270 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE298
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE2B2
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE2DC
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE307
std::_Facet_Register.LIBCPMT ref: 00007FF7155DE320
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE33F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DE365

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: dbf9ae5fa07223a1fe4b601678366eabe82816ca5094b8eb4729b4a05f8941cf
Instruction ID: 2c91dfc15e1ae19088aeee3539afa1189602893707e9ca5d676fb1c8c5a5efd8
Opcode Fuzzy Hash: dbf9ae5fa07223a1fe4b601678366eabe82816ca5094b8eb4729b4a05f8941cf
Instruction Fuzzy Hash: E2316F2A608F8185EA58AF55E444179B762FB88FA4F884532DA6E037B4CF3CE449C720

Function 00007FF7155DE170 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE198
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE1B2
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE1DC
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE207
std::_Facet_Register.LIBCPMT ref: 00007FF7155DE220
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE23F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DE265

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 693388d1a5bb84d5a48b657389742f1e4c31efe8f0bc749a1c2a832ef63a146f
Instruction ID: 6f82f613f7c164c3d87b857717b86f73be666413d30e834ba26a6467f2184396
Opcode Fuzzy Hash: 693388d1a5bb84d5a48b657389742f1e4c31efe8f0bc749a1c2a832ef63a146f
Instruction Fuzzy Hash: A431822A608F4185EB58AF51E444169F762FB88FB4F884636DA6E077B4CF3CE449C710

Function 00007FF7155C6E40 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF7155C6FB7

Strings

###, xrefs: 00007FF7155C6FAD
Collapsed=%d, xrefs: 00007FF7155C701A
Size=%d,%d, xrefs: 00007FF7155C6FFE
Pos=%d,%d, xrefs: 00007FF7155C6FE1
[%s][%s], xrefs: 00007FF7155C6FC1

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: bf784bdaf270d046d9ae6b05241313c3a2dc6a8f0412e21312333810f1df9275
Instruction ID: 2d283e01e7b92eac9e62cf62c94c8d55f8bb3f62cf1c89db0a4e4b9302d351b1
Opcode Fuzzy Hash: bf784bdaf270d046d9ae6b05241313c3a2dc6a8f0412e21312333810f1df9275
Instruction Fuzzy Hash: 5A51E336A28A8286DB18EF15D444078B3A6FB89FA4F858536DE4C07764DF3CF559C720

Function 00007FF7155DA680 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DA7BC
_Init_thread_footer.LIBCMT ref: 00007FF7155DA7E2
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DA80E

Strings

RtlLookupElementGenericTableAvl, xrefs: 00007FF7155DA75B
[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF7155DA7F1

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_Init_thread_footerU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 1815191494-1952825546
Opcode ID: dc92b73a1cc9d1d2235371bee4af41906c46207bf056b44d24b6be692903d6c6
Instruction ID: 96244e4f2f006cfbee94ee0d6985e30bd8fefc8f5cd9e72fef40d3b5fcbeec28
Opcode Fuzzy Hash: dc92b73a1cc9d1d2235371bee4af41906c46207bf056b44d24b6be692903d6c6
Instruction Fuzzy Hash: 65416076A18F8685EA14EB14E44036AE362FB84BB0F904235EAAD437B5DF7CD049CB10

Function 00007FF7155B8802 Relevance: 8.8, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF138
Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF167
Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF196
Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF1D1
Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF200
Part of subcall function 00007FF7155CF100: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7155B881E), ref: 00007FF7155CF235

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B8844
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B886F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B8897
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B88BF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B88E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B890F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B8937

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c74561c7cf1fe9c8b344e6bc5dc7e92609ce7b09c415c9f5becef5ea7eadb254
Instruction ID: 0cd113d9360d033431e1f9f7904a1bab906519a6fd3952169282367a5489b4c2
Opcode Fuzzy Hash: c74561c7cf1fe9c8b344e6bc5dc7e92609ce7b09c415c9f5becef5ea7eadb254
Instruction Fuzzy Hash: 9431E429A0AA4685FF0DAF15D494674A7B3BF44FA0F886936D95C033B1CF6CE558C630

Function 00007FF7155DA3E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-0000000A,00007FF7155DAA8D), ref: 00007FF7155DA4F0

Part of subcall function 00007FF7155FA838: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7155C70A0), ref: 00007FF7155FA848

Part of subcall function 00007FF7155DCE00: memmove.VCRUNTIME140(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCE31

Part of subcall function 00007FF7155D9D60: memset.VCRUNTIME140 ref: 00007FF7155D9DBA
Part of subcall function 00007FF7155D9D60: VirtualAlloc.KERNEL32 ref: 00007FF7155D9E59
Part of subcall function 00007FF7155D9D60: VirtualFree.KERNEL32 ref: 00007FF7155D9E90

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DA4B0
_Init_thread_footer.LIBCMT ref: 00007FF7155DA4C4

Strings

ExAcquireResourceExclusiveLite, xrefs: 00007FF7155DA44F
[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF7155DA4D3

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeInit_thread_footerSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 3554207627-2131800721
Opcode ID: 55f46acaae3468bca0b1a652774a057f1d467805380c048a15c19ac44e1ff78b
Instruction ID: 5df87d9abb24bc040f2df224faa9bc90b4b097c46cd88121fe87120d37bfc894
Opcode Fuzzy Hash: 55f46acaae3468bca0b1a652774a057f1d467805380c048a15c19ac44e1ff78b
Instruction Fuzzy Hash: 68314376A08E8281EB58EB54F485379A762EF44FB0F805131D56E46AB9DF6CD098C720

Function 00007FF7155D1E30 Relevance: 7.6, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D1E67
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D1F28
memcpy.VCRUNTIME140 ref: 00007FF7155D1F47
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D1F6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D2036
memcpy.VCRUNTIME140 ref: 00007FF7155D204C

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: malloc$memcpy$free
String ID:
API String ID: 2877244841-0
Opcode ID: b019755a26e6dca94ce2fcaee46ef848526b93ae3997d5cd8cfabe62b8f0e9ad
Instruction ID: 93140ad51d1a23df60989edd1987441e7e5ab58c1c4e87390b25e07f7c7c391a
Opcode Fuzzy Hash: b019755a26e6dca94ce2fcaee46ef848526b93ae3997d5cd8cfabe62b8f0e9ad
Instruction Fuzzy Hash: 60617E36A09F8182EB189F29D580378B7A1FB58F54F489235DB8D47762DF38E4A5C320

Function 00007FF7155DC670 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7155DC6A3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7155DC6C2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7155DC6F4
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7155DC710

Part of subcall function 00007FF7155DCBB0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7155DCBDA
Part of subcall function 00007FF7155DCBB0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7155DCC02
Part of subcall function 00007FF7155DCBB0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7155DCC17

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7155DC754

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@Init@?$basic_streambuf@U_iobuf@@V?$basic_streambuf@Vlocale@2@
String ID:
API String ID: 3805387474-0
Opcode ID: 21effff994e385f54efb42471c26596f858647b635dcc98acdf1f30cb5cd36e0
Instruction ID: 7faaf203b2b4bbb9cb94ba3afc0174aa574f63924e859e384a2eeaaaabcc9582
Opcode Fuzzy Hash: 21effff994e385f54efb42471c26596f858647b635dcc98acdf1f30cb5cd36e0
Instruction Fuzzy Hash: CD212836605F8186EB549F29F894329B7A1FB89F98F848135CA8D43724DF3DD019C750

Function 00007FF7155D6640 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00007FF7155D6689
SetCursorPos.USER32 ref: 00007FF7155D6697
GetForegroundWindow.USER32 ref: 00007FF7155D66B1
GetCursorPos.USER32 ref: 00007FF7155D66C5
ScreenToClient.USER32 ref: 00007FF7155D66DB

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: ClientCursorScreen$ForegroundWindow
String ID:
API String ID: 4123119131-0
Opcode ID: 6f7be35c420d553131d4428bb555b22f6f9dbb2274a5b5b0284617c4c3bd5c17
Instruction ID: acef9d6c0d5d4b1b32e739f437103c562fa0e37d952923d29e15f9c7882741fc
Opcode Fuzzy Hash: 6f7be35c420d553131d4428bb555b22f6f9dbb2274a5b5b0284617c4c3bd5c17
Instruction Fuzzy Hash: E0217176919E858AE765EF20E444169B3B2FB88F68F840232D95D46274DF3CE549CF30

Function 00007FF7155C7310 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF7155C7349
ImmSetCompositionWindow.IMM32 ref: 00007FF7155C736F
ImmReleaseContext.IMM32 ref: 00007FF7155C737B

Strings

, xrefs: 00007FF7155C7367

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: 290400a618776873199429714fac2e970c6dabd299f32943080d1c025647e877
Instruction ID: 70e2dc1ff16599487438f02f88df29f826016ad33ef0498c7c2542161c70fae9
Opcode Fuzzy Hash: 290400a618776873199429714fac2e970c6dabd299f32943080d1c025647e877
Instruction Fuzzy Hash: F2017535A08F4186EB649B06B504269F7A6FB8CFE4F844136DE8D43724DF3CE4088B20

Function 00007FF7155D6B00 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 425COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF7155D6C83
memchr.VCRUNTIME140 ref: 00007FF7155D6D43
memchr.VCRUNTIME140 ref: 00007FF7155D6E3E

Strings

..., xrefs: 00007FF7155D6B05

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: f06189f303e04c4cb1d2e7c1ee710e403f835a0ff0bca0791c9e77664da91606
Instruction ID: f107738a7998f4a0953bca2dbadaef41c7a979fc4629048e31d82710e429f0ac
Opcode Fuzzy Hash: f06189f303e04c4cb1d2e7c1ee710e403f835a0ff0bca0791c9e77664da91606
Instruction Fuzzy Hash: 0D22FA33D18BC985E7169B3690413B9F351EF6D7A4F588731EA98321B5EB28F1C98B10

Function 00007FF7155C74C0 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C751E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C7555
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C7583
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C75B1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C75D9

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1d4f6710f2e571beceaa16e893db6adc8f7d78774991947d33b59137be671992
Instruction ID: fec9094c32f3bdd8e6a07ba5f1a66501ad6755ef866df01863c49c0a6acdd54c
Opcode Fuzzy Hash: 1d4f6710f2e571beceaa16e893db6adc8f7d78774991947d33b59137be671992
Instruction Fuzzy Hash: 68314F39A29E4186EB18AF19E490538B7B6FF40F64F885539CA5D03775CF38E854C6B0

Function 00007FF7155BB120 Relevance: 6.3, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155BB14E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155BB179
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155BB1A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155BB1CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155BB1FA

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9878cff92b7a45efd5d6081b4655f952557cb57d78299425c169f0dafcd8b674
Instruction ID: e257d174d78bc5dbe7fb0f8f6fae7d7ef464726c4fb3dacff8d6f6afe788b263
Opcode Fuzzy Hash: 9878cff92b7a45efd5d6081b4655f952557cb57d78299425c169f0dafcd8b674
Instruction Fuzzy Hash: D0211669A0AE8681FF5DAB15D494674A7B2BF44FB0F889536CC1C073B1CFACA558C230

Function 00007FF7155CBDB0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF06
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF33
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF5A
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7155CBF7D

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: dfbb7176f5694f162866095dfb2e73129c0bb1256fdf5942bd61c65894896c39
Instruction ID: 98a9aec865d08b52e869ce1024c47e02289140933f1651ce0b2c4e6b83fced3a
Opcode Fuzzy Hash: dfbb7176f5694f162866095dfb2e73129c0bb1256fdf5942bd61c65894896c39
Instruction Fuzzy Hash: 25517A2292CFD185D3669F3150413BAF7A5BF68761F848332FE8462665EB3DD481CB10

Function 00007FF7155EFA50 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 00007FF7155EFB85
memset.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 00007FF7155EFB8E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF7155EFB93
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF7155EFB9F

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: f70d7057f9271e2cd893f5f297f108b85b0847ddb0acec2d83d9a4a34008c8fd
Instruction ID: 849cf3c5c903a92c4e23d43cc631d452bd51b9b6aee71cfccb4974b524c0f35d
Opcode Fuzzy Hash: f70d7057f9271e2cd893f5f297f108b85b0847ddb0acec2d83d9a4a34008c8fd
Instruction Fuzzy Hash: CF41E67AB09E1182D718AB1AA44453DF3A6FF88FA0F958431DE2C97B60DF3CD8858750

Function 00007FF7155DCE00 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCE31
memcpy.VCRUNTIME140(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCEF6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7155A10DD), ref: 00007FF7155DCF4A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DCF51

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemmove
String ID:
API String ID: 966911907-0
Opcode ID: f0610ef426ac94961e7403331a5ddb8b2f7967d32f0b7a5753f1b7de162f1d22
Instruction ID: e5d9e94f946d370a804c7ad807cca62b041365d32cee12df75332ed11ad198b5
Opcode Fuzzy Hash: f0610ef426ac94961e7403331a5ddb8b2f7967d32f0b7a5753f1b7de162f1d22
Instruction Fuzzy Hash: B641AE6BB0AE4684EA1DEB26D544278A252DB04FF4F944631DE3D077E5DF7CE48A8310

Function 00007FF7155DE4E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7155DE5E7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DE62A
memcpy.VCRUNTIME140 ref: 00007FF7155DE634
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DE66F

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b5ff13d59bae1a0f5b20649b3fea5ae77ff77566e4ec2f8af34c9ec3637ade59
Instruction ID: e32f463387bf2ac671cde94fac621a4a670eac3c3b4a41a803919c164b9542aa
Opcode Fuzzy Hash: b5ff13d59bae1a0f5b20649b3fea5ae77ff77566e4ec2f8af34c9ec3637ade59
Instruction Fuzzy Hash: 9041BE2AB09B4189EA18AB21A40416DB356EB08FF0F940731DE7D077E5EF7DE0999310

Function 00007FF7155DCC80 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00007FF7155D8DB2), ref: 00007FF7155DCCBB
memcpy.VCRUNTIME140(?,?,00000000,00007FF7155D8DB2), ref: 00007FF7155DCD9C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF7155D8DB2), ref: 00007FF7155DCDE5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DCDF2

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemmove
String ID:
API String ID: 966911907-0
Opcode ID: de1a70e45a41822d79e4912c80078ab6e8efdd8e1f9a427c9fb1ce8c5abd76b9
Instruction ID: a83f7ba5d218b22c40c96eeb52e0d39242440b9dda87d055d6024bdf778f63c6
Opcode Fuzzy Hash: de1a70e45a41822d79e4912c80078ab6e8efdd8e1f9a427c9fb1ce8c5abd76b9
Instruction Fuzzy Hash: 4331C066B06E8655ED18BB12D8452B8A652AF05FF0F980731DE3D077E5DF7CE48A8320

Function 00007FF7155DE680 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?,00007FF7155F0C78), ref: 00007FF7155DE75F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7FFFFFFFFFFFFFFF,?,?,00007FF7155F0C78), ref: 00007FF7155DE79C
memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?,00007FF7155F0C78), ref: 00007FF7155DE7A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DE7D3

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 044dd7c30fb26f47ae2b440beed26446a78f78eacc7a9665c92f2063cdf90c02
Instruction ID: 939090190e92c9013bfe2d41a0b2aea146ad8831d06964ba43fb0bb92579501e
Opcode Fuzzy Hash: 044dd7c30fb26f47ae2b440beed26446a78f78eacc7a9665c92f2063cdf90c02
Instruction Fuzzy Hash: B341E42AB09B8199EE98AB15A400269B352EB04FF0F984631DE7D077E5CF7CE0959310

Function 00007FF7155DE370 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7155DE464
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DE49C
memcpy.VCRUNTIME140 ref: 00007FF7155DE4A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DE4CF

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: a40cfd76a38c6a4a69ef36b711b5c7bc147816559ca095e8b1155b47d96aa0cf
Instruction ID: 970a3acbc4056fe333c4f604399a2625df7ec3fabba3dd1034b93f0c50acc7bc
Opcode Fuzzy Hash: a40cfd76a38c6a4a69ef36b711b5c7bc147816559ca095e8b1155b47d96aa0cf
Instruction Fuzzy Hash: D031916AB09A4689EE18AB16A5042B8F353AB04FF0F984731DA7D077E5DF7CE0499210

Function 00007FF7155DEA10 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7155DEADD

Part of subcall function 00007FF7155FA2B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7155A100E), ref: 00007FF7155FA2CA

memcpy.VCRUNTIME140 ref: 00007FF7155DEB0E
memcpy.VCRUNTIME140 ref: 00007FF7155DEB1E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7155DEB41

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: d2fba369829a6a16654a9b493e6dd5e28788dcd7a8916b949e5f24a1825edc76
Instruction ID: 225963906df4cc823571c1b41fa5d16c50a6c92510d788490dea7528cfab996d
Opcode Fuzzy Hash: d2fba369829a6a16654a9b493e6dd5e28788dcd7a8916b949e5f24a1825edc76
Instruction Fuzzy Hash: C631A127B05A4594EA28EB52A5042A9B292FB48FF4F984731DE7D477E4DF7CE0898310

Function 00007FF7155C1B90 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7155C1C24
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7155C1C36
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7155C1C3E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155C1CA8

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: __acrt_iob_funcfclosefflushfree
String ID:
API String ID: 4015754604-0
Opcode ID: 4565180c22bb5c96e9ff0b4c17ff548305e96b1097737bef9ec23ff6a4b5661f
Instruction ID: d9769ebcce8576f5d961e3d4e8512c4da8cc1c4e5b2b7bcefc62dff9e7d1fae3
Opcode Fuzzy Hash: 4565180c22bb5c96e9ff0b4c17ff548305e96b1097737bef9ec23ff6a4b5661f
Instruction Fuzzy Hash: 5B41A13AA19E8286E718EF15E0402A8B3B5FB45F64F884531DB5D47664CF3CE498C730

Function 00007FF7155DCBB0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7155DCBDA

Part of subcall function 00007FF7155DCA40: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCBFA), ref: 00007FF7155DCA72
Part of subcall function 00007FF7155DCA40: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00007FF7155DCBFA), ref: 00007FF7155DCAA0

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7155DCC02

Part of subcall function 00007FF7155DE170: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE198
Part of subcall function 00007FF7155DE170: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE1B2
Part of subcall function 00007FF7155DE170: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE1DC
Part of subcall function 00007FF7155DE170: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE207
Part of subcall function 00007FF7155DE170: std::_Facet_Register.LIBCPMT ref: 00007FF7155DE220
Part of subcall function 00007FF7155DE170: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF7155DCC11), ref: 00007FF7155DE23F

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7155DCC17
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7155DCC32

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 77e9daa05b58afd86b0f3b53f771337a201eb39d06f36f0c1e0948368d47bce4
Instruction ID: 1033006f5c47d7d7509e65a423a09b2420295c7dcb8c08703d0baecf84f5dc7b
Opcode Fuzzy Hash: 77e9daa05b58afd86b0f3b53f771337a201eb39d06f36f0c1e0948368d47bce4
Instruction Fuzzy Hash: 21119026B09F0685EE48AB11E448328A3A2EF49FD4F984035CE2E0B7B4DF3CE449C310

Function 00007FF7155B8A10 Relevance: 5.4, APIs: 4, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155B95B0: memset.VCRUNTIME140(?,?,?,00007FF7155B8A48), ref: 00007FF7155B967A
Part of subcall function 00007FF7155B95B0: memset.VCRUNTIME140(?,?,?,00007FF7155B8A48), ref: 00007FF7155B96CA

memset.VCRUNTIME140 ref: 00007FF7155B8EEA

Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D3957
Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D3986
Part of subcall function 00007FF7155D3920: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155D39B5

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155B8FD0
memset.VCRUNTIME140 ref: 00007FF7155B92B0
memset.VCRUNTIME140 ref: 00007FF7155B92E0

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: memset$free$malloc
String ID:
API String ID: 1393892039-0
Opcode ID: 6f33b4c64a448f340aa713d0677b3f0d6fc5560282f4c855583fca6737aee5f9
Instruction ID: 64b8d5e19d46c58a844443563186efe6b2ca2dc9338071d81c07450fbb440ef5
Opcode Fuzzy Hash: 6f33b4c64a448f340aa713d0677b3f0d6fc5560282f4c855583fca6737aee5f9
Instruction Fuzzy Hash: 2832C073505BC086D3109F29A8441CA37E9F745F68F284B39DEA40BBA8DF3481A5E778

Function 00007FF7155B7A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF7155B7A5B
GetWindowThreadProcessId.USER32 ref: 00007FF7155B7A94

Strings

map/set too long, xrefs: 00007FF7155B7A54

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: ProcessThreadWindowXlength_error@std@@
String ID: map/set too long
API String ID: 2154790705-558153379
Opcode ID: 35c54335bf823755138c13e43ffd7192e90c78215ca46cad63b169721952d0b0
Instruction ID: 7dcef5141ae0b3eff321fb09b043899f3768833f5671e837d219d82c40f517be
Opcode Fuzzy Hash: 35c54335bf823755138c13e43ffd7192e90c78215ca46cad63b169721952d0b0
Instruction Fuzzy Hash: CCF0C235B1CE4186EB64AB14F840129A373FB48FA4FD40831DA8D46B74CF6CE2988B10

Function 00007FF7155DA986 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7155DCFB0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD136
Part of subcall function 00007FF7155DCFB0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD13D
Part of subcall function 00007FF7155DCFB0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF7155D8D79), ref: 00007FF7155DD14A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7155DA93B

Strings

H, xrefs: 00007FF7155DA98C
[-] Warning PiDDBCacheTable not found, xrefs: 00007FF7155DA990

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V01@@
String ID: H$[-] Warning PiDDBCacheTable not found
API String ID: 2638164236-1616274805
Opcode ID: c8017ddf6779bab732e2fe6b8a2b8e3691216272f5b6195d37b01848c484593d
Instruction ID: 60acd377d6e2f8ffe8f42a728d193944e73e3e0ae0b9e79b84802f623cc0c7af
Opcode Fuzzy Hash: c8017ddf6779bab732e2fe6b8a2b8e3691216272f5b6195d37b01848c484593d
Instruction Fuzzy Hash: A0F0E22B60CA8289E758FB20D0041BCA367EB09FA4FC45072DE5E07265DF3CE08AD320

Function 00007FF7155CD830 Relevance: 5.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CD8F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CD95E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CDC02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7155CDC29

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: cfe6639f7e57b07e67f4aaa41856a5aca06cb8380c28ac8d680cb2683af5e257
Instruction ID: e76ae16417a32ab319af807b283e3dc9438027fca0e83bf23b064ae9c55a3621
Opcode Fuzzy Hash: cfe6639f7e57b07e67f4aaa41856a5aca06cb8380c28ac8d680cb2683af5e257
Instruction Fuzzy Hash: 1AB12936E18EC485E715EB35944027EF7A8FF88B98F444332EE8952674DB38E446C720

Function 00007FF7155C7A10 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7155BDF6D), ref: 00007FF7155C7A8A
memcpy.VCRUNTIME140(?,?,00000000,00007FF7155BDF6D), ref: 00007FF7155C7AA5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF7155BDF6D), ref: 00007FF7155C7ACC
memmove.VCRUNTIME140(?,?,00000000,00007FF7155BDF6D), ref: 00007FF7155C7AF5

Memory Dump Source

Source File: 00000000.00000002.2701011845.00007FF7155A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7155A0000, based on PE: true

Associated: 00000000.00000002.2700998530.00007FF7155A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701051759.00007FF7155FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7155FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701066643.00007FF7156AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701289369.00007FF715824000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2701305971.00007FF715826000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7155a0000_eOlMJXTCUH.jbxd

Yara matches

Similarity

API ID: freemallocmemcpymemmove
String ID:
API String ID: 2074075965-0
Opcode ID: db88b2c67157547d69eee49c3a69162be6126e68afc3b426aa020cb019e4c1a3
Instruction ID: a51929de4173bcf9701d1e1709bc0a909025ccd8b9706099a85369578bcc351b
Opcode Fuzzy Hash: db88b2c67157547d69eee49c3a69162be6126e68afc3b426aa020cb019e4c1a3
Instruction Fuzzy Hash: 1D31D47AB18E8581EB08AF15D840138B366FB44FE4F48C036DA5D47B69DF2CE545C360

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eOlMJXTCUH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: eOlMJXTCUH.exePID: 2884, Parent PID: 4084

General

Chronological Activities

Windows Analysis Report
eOlMJXTCUH.exe