Edit tour

Windows Analysis Report
9HwMaWcccx.exe

Overview

General Information

Sample name:	9HwMaWcccx.exe renamed because original name is a hash value
Original sample name:	3f766be1002f79cef2a8b0656f18ecb9.exe
Analysis ID:	1520466
MD5:	3f766be1002f79cef2a8b0656f18ecb9
SHA1:	f2dfd38d36c8d938b5b64da74755a2b91a2a4fe6
SHA256:	538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
Tags:	exeuser-abuse_ch
Infos:

Detection

BlackMoon

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected BlackMoon Ransomware

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9HwMaWcccx.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\9HwMaWcccx.exe" MD5: 3F766BE1002F79CEF2A8B0656F18ECB9)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
KrBanker, BlackMoon	ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.	No Attribution	http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/ https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/ https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/	https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9HwMaWcccx.exe	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
9HwMaWcccx.exe	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: 9HwMaWcccx.exe PID: 7404	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x92ba0:$s1: blackmoon 0x92be0:$s2: BlackMoon RunTime Error:
0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x92ba0:$s1: blackmoon 0x92be0:$s2: BlackMoon RunTime Error:
0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x9d2b0:$s1: blackmoon 0x9d2f0:$s2: BlackMoon RunTime Error:
0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x94ba0:$s1: blackmoon 0x94be0:$s2: BlackMoon RunTime Error:
0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x91967:$s1: blackmoon 0x919a7:$s2: BlackMoon RunTime Error:
0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x91967:$s1: blackmoon 0x919a7:$s2: BlackMoon RunTime Error:
0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x94ba0:$s1: blackmoon 0x94be0:$s2: BlackMoon RunTime Error:
0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:
0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0x9d2b0:$s1: blackmoon 0x9d2f0:$s2: BlackMoon RunTime Error:
0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack	MALWARE_Win_BlackMoon	Detects executables using BlackMoon RunTime	ditekSHen	0xfbb30:$s1: blackmoon 0xfbb70:$s2: BlackMoon RunTime Error:
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 9HwMaWcccx.exe

ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: 9HwMaWcccx.exe

Joe Sandbox ML: detected

Source: 9HwMaWcccx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe
Source:	Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe

Source: 9HwMaWcccx.exe	String found in binary or memory: http://103.239.244.218:8898/
Source: 9HwMaWcccx.exe	String found in binary or memory: http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo
Source: 9HwMaWcccx.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 9HwMaWcccx.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: 9HwMaWcccx.exe	String found in binary or memory: http://top6666.top/top/version.txt
Source: 9HwMaWcccx.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 9HwMaWcccx.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 9HwMaWcccx.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 9HwMaWcccx.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF69C2F6F90

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C2F7100 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF69C2F7100

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C2F6F90 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF69C2F6F90

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackMoon Ransomware

Source: Yara match	File source: 9HwMaWcccx.exe, type: SAMPLE
Source: Yara match	File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9HwMaWcccx.exe PID: 7404, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9HwMaWcccx.exe, type: SAMPLE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen

Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		0_2_00007FF69C309FB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C329FD0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		0_2_00007FF69C329FD0

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C3097B0: DeviceIoControl,

0_2_00007FF69C3097B0

Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E696A	0_2_00007FF69C2E696A
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E6D5E	0_2_00007FF69C2E6D5E
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2F85B0	0_2_00007FF69C2F85B0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E61DE	0_2_00007FF69C2E61DE
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E65BC	0_2_00007FF69C2E65BC
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E8230	0_2_00007FF69C2E8230
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FDE20	0_2_00007FF69C2FDE20
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C305E20	0_2_00007FF69C305E20
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E6E05	0_2_00007FF69C2E6E05
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C300A70	0_2_00007FF69C300A70
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E7245	0_2_00007FF69C2E7245
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E6A3F	0_2_00007FF69C2E6A3F
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C303E40	0_2_00007FF69C303E40
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E9AB0	0_2_00007FF69C2E9AB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FD2B0	0_2_00007FF69C2FD2B0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FC690	0_2_00007FF69C2FC690
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E62F1	0_2_00007FF69C2E62F1
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E66E7	0_2_00007FF69C2E66E7
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FE320	0_2_00007FF69C2FE320
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FDB70	0_2_00007FF69C2FDB70
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FAB50	0_2_00007FF69C2FAB50
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C309FB0	0_2_00007FF69C309FB0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E57A5	0_2_00007FF69C2E57A5
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2F2BA0	0_2_00007FF69C2F2BA0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2F139F	0_2_00007FF69C2F139F
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E5F95	0_2_00007FF69C2E5F95
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C303380	0_2_00007FF69C303380
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C31FC10	0_2_00007FF69C31FC10
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FFBD0	0_2_00007FF69C2FFBD0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C3077C0	0_2_00007FF69C3077C0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C308BC0	0_2_00007FF69C308BC0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2F5070	0_2_00007FF69C2F5070
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E585C	0_2_00007FF69C2E585C
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E709B	0_2_00007FF69C2E709B
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E5CD7	0_2_00007FF69C2E5CD7
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C3050D0	0_2_00007FF69C3050D0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C3020C0	0_2_00007FF69C3020C0
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2FCD30	0_2_00007FF69C2FCD30
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E6124	0_2_00007FF69C2E6124
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2F9910	0_2_00007FF69C2F9910
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Code function: 0_2_00007FF69C2E650B	0_2_00007FF69C2E650B

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: String function: 00007FF69C2E75E0 appears 47 times

Source: 9HwMaWcccx.exe, 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe, 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe
Source: 9HwMaWcccx.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs 9HwMaWcccx.exe

Source: 9HwMaWcccx.exe, type: SAMPLE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c32fc80.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c338390.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c33b5c9.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c33b5c9.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c338390.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.9HwMaWcccx.exe.7ff69c32fc80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.9HwMaWcccx.exe.7ff69c2d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime

Source: 9HwMaWcccx.exe	Binary string: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: 9HwMaWcccx.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal68.rans.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C31F770 _invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte,

0_2_00007FF69C31F770

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03

Source: 9HwMaWcccx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9HwMaWcccx.exe

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\9HwMaWcccx.exe "C:\Users\user\Desktop\9HwMaWcccx.exe"
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: d3dcompiler_43.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9HwMaWcccx.exe	Section loaded: vcruntime140.dll	Jump to behavior

Source: 9HwMaWcccx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 9HwMaWcccx.exe

Static file information: File size 2647552 > 1048576

Source: 9HwMaWcccx.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x225c00

Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9HwMaWcccx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9HwMaWcccx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 9HwMaWcccx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb@@ source: 9HwMaWcccx.exe
Source:	Binary string: \COD_TB\x64\Release\TOP_2.4.6.pdb source: 9HwMaWcccx.exe
Source:	Binary string: C:\Windows\Start.pdb source: 9HwMaWcccx.exe
Source:	Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: 9HwMaWcccx.exe

Source: 9HwMaWcccx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9HwMaWcccx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9HwMaWcccx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9HwMaWcccx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9HwMaWcccx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,

0_2_00007FF69C2E8140

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C3039B1 push 8B48D68Bh; retf

0_2_00007FF69C3039BC

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C309FB0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,memset,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,

0_2_00007FF69C309FB0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF69C32B410

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C32B410 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF69C32B410

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

0_2_00007FF69C309FB0

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C2E8140 InitOnceBeginInitialize,LoadLibraryA,InitOnceComplete,LoadLibraryA,GetProcAddress,abort,

0_2_00007FF69C2E8140

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C3087A0 GetProcessHeap,_Init_thread_footer,_Init_thread_footer,

0_2_00007FF69C3087A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C32A968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF69C32A968

Source: C:\Users\user\Desktop\9HwMaWcccx.exe

Code function: 0_2_00007FF69C32B290 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF69C32B290

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	3 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9HwMaWcccx.exe	45%	ReversingLabs
9HwMaWcccx.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://103.239.244.218:8898/1c5b7aafca5f2cef32b8aea1ded2a1e9ed7a8f4b6d7cc93d3f1b914b61ea0731a?datamo	9HwMaWcccx.exe	false		unknown
http://www.eyuyan.com)DVarFileInfo$	9HwMaWcccx.exe	false		unknown
http://top6666.top/top/version.txt	9HwMaWcccx.exe	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	9HwMaWcccx.exe	false	URL Reputation: safe	unknown
http://103.239.244.218:8898/	9HwMaWcccx.exe	false		unknown
http://ocsp.thawte.com0	9HwMaWcccx.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520466
Start date and time:	2024-09-27 11:28:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9HwMaWcccx.exe renamed because original name is a hash value
Original Sample Name:	3f766be1002f79cef2a8b0656f18ecb9.exe
Detection:	MAL
Classification:	mal68.rans.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 98
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 9HwMaWcccx.exe, PID 7404 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 9HwMaWcccx.exe

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.704912767605965
TrID:	Win64 Executable Console (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	9HwMaWcccx.exe
File size:	2'647'552 bytes
MD5:	3f766be1002f79cef2a8b0656f18ecb9
SHA1:	f2dfd38d36c8d938b5b64da74755a2b91a2a4fe6
SHA256:	538657e0e69a3e37da94646672537f3c7764a81d0b0896c7305f06f799245d92
SHA512:	6e2e722cfbffd3cc186e25be09906429f181c86f4210385f7e26e74ad1f8f7d3d066f7b3fd75aaa927c2cb569aaccd7f24e058c8ad06757ecac4798abc5c01e9
SSDEEP:	49152:sevcjewG0HVzQOhOXjJCEKEQIvufRoGpfPACp:sdG0VcOhOzJzLYoGpfP5
TLSH:	E9C55C02B5DC9E69C81AD33D8951111ED2A9FD085FA10B8783D84C745FFB4BA0DA9BE3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................>.......................................P.............'.1.............2.......2.......2.R.....2.......Rich...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14005ae64
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x663E6957 [Fri May 10 18:37:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4e9653c358320c642fba6c227fa69d9f

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F10FC521B98h
dec eax
add esp, 28h
jmp 00007F10FC5215E7h
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00003E54h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [00003E39h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F10FC521747h
dec eax
lea edx, dword ptr [0022503Bh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F10FC521E3Eh
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov ecx, ebx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor ecx, 756E6547h
inc esp
mov edx, edx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or ecx, eax
cpuid
inc ecx
xor edx, 49656E69h
mov dword ptr [esp], eax
inc ebp
or ecx, edx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007F10FC5217C2h
dec eax
or dword ptr [00229107h], FFFFFFFFh
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F10FC52179Ah
cmp eax, 00020660h
je 00007F10FC521793h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x280090	0x9b0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x280a40	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28a000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x286000	0x30c0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28b000	0x170	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x279960	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x279b80	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2799d0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5e000	0xac0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c624	0x5c800	d551b04880b31482051766135d771288	False	0.4805927998310811	data	6.316863334776826	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5e000	0x225a54	0x225c00	f31c0a268ccd4ace3910dcd8a5f690b5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x284000	0x1a88	0x800	85dcc06e90c53b8d7d90996a9e538618	False	0.244140625	DOS executable (block device driver \322f\324\377\3772)	3.385291919763453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x286000	0x30c0	0x3200	223aa9e06b50db4206497b5cbf1fce8e	False	0.4678125	data	5.781812070528729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x28a000	0x1e0	0x200	36134ee3ad78dcf3977297171cc7b586	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28b000	0x170	0x200	5feab6d22e7711133c8455f3705261b9	False	0.576171875	data	4.111487666917551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x28a060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_43.dll	D3DCompile
IMM32.dll	ImmSetCompositionWindow, ImmGetContext, ImmReleaseContext
WINHTTP.dll	WinHttpOpenRequest, WinHttpOpen, WinHttpSendRequest, WinHttpConnect, WinHttpQueryDataAvailable, WinHttpReceiveResponse, WinHttpCloseHandle, WinHttpReadData
KERNEL32.dll	UnhandledExceptionFilter, GetModuleHandleW, CreateEventW, WaitForSingleObjectEx, ResetEvent, LoadLibraryA, GetProcAddress, GetTickCount, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, QueryPerformanceFrequency, QueryPerformanceCounter, HeapFree, VirtualFree, DeviceIoControl, VirtualAlloc, InitializeCriticalSectionEx, CreateFileW, GetCurrentThreadId, GetModuleHandleA, HeapSize, GetLastError, HeapReAlloc, CloseHandle, RaiseException, HeapAlloc, HeapDestroy, DeleteCriticalSection, GetCurrentProcessId, IsProcessorFeaturePresent, ReadFile, IsDebuggerPresent, Process32First, SetConsoleTitleA, GetCurrentProcess, WriteFile, TerminateProcess, CreatePipe, GetTempPathW, WaitForSingleObject, OpenProcess, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetTempPathA, K32GetModuleFileNameExA, LockResource, Process32Next, WritePrivateProfileStringA, FindResourceExW, LoadResource, FindResourceW, K32EnumProcesses, GetStartupInfoA, CreateProcessW, WideCharToMultiByte, GetConsoleWindow, lstrcmpiA, CreateProcessA, GetPrivateProfileIntA, GetPrivateProfileStringA, SetConsoleTitleW, SetEvent, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, InitOnceBeginInitialize, InitOnceComplete, OutputDebugStringW, SetUnhandledExceptionFilter, SizeofResource, GetSystemTimeAsFileTime, GetProcessHeap, InitializeSListHead
USER32.dll	GetMessageA, DispatchMessageA, GetWindowRect, DestroyWindow, SetWindowPos, GetClassNameA, ShowWindow, GetAsyncKeyState, GetWindowTextA, MessageBoxA, MoveWindow, DefWindowProcA, SetLayeredWindowAttributes, TranslateMessage, LoadIconA, PeekMessageA, GetSystemMetrics, SetWindowLongPtrA, RegisterClassExA, GetKeyState, LoadCursorA, ScreenToClient, GetCapture, ClientToScreen, GetForegroundWindow, SetCapture, SetCursor, GetClientRect, ReleaseCapture, SetCursorPos, GetCursorPos, OpenClipboard, PostQuitMessage, GetWindowThreadProcessId, SetClipboardData, GetClipboardData, CloseClipboard, EmptyClipboard, EnumWindows
ADVAPI32.dll	RegCreateKeyW, RegDeleteKeyW, RegCloseKey, RegSetKeyValueW, RegOpenKeyW
MSVCP140.dll	?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, _Xtime_get_ticks, _Thrd_detach, _Query_perf_counter, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, _Cnd_do_broadcast_at_thread_exit, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Throw_C_error@std@@YAXH@Z, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_frequency, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z, _Thrd_sleep, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?uncaught_exception@std@@YA_NXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPEBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
ntdll.dll	RtlVirtualUnwind, RtlInitUnicodeString, RtlCaptureContext, RtlLookupFunctionEntry, NtQuerySystemInformation
WS2_32.dll	inet_addr, gethostbyname, recv, connect, socket, send, closesocket, WSACleanup, htons, WSAStartup
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memcmp, memchr, memcpy, memmove, memset, _CxxThrowException, __current_exception_context, __current_exception, __C_specific_handler, strstr, __std_exception_copy, __std_exception_destroy, __std_terminate
api-ms-win-crt-runtime-l1-1-0.dll	_invalid_parameter_noinfo_noreturn, _errno, _register_thread_local_exe_atexit_callback, exit, terminate, abort, _c_exit, _invalid_parameter_noinfo, _beginthreadex, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, __p___argv, _get_initial_narrow_environment, _initterm, _initterm_e, _exit, __p___argc
api-ms-win-crt-stdio-l1-1-0.dll	fopen, __acrt_iob_func, fflush, fclose, _get_stream_buffer_pointers, __p__commode, _fseeki64, _set_fmode, fseek, fsetpos, ungetc, __stdio_common_vfprintf, setvbuf, fgetpos, fgetc, fwrite, fputc, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, ftell
api-ms-win-crt-string-l1-1-0.dll	_stricmp, strncmp, isdigit, tolower, strcpy_s, isspace, strcmp
api-ms-win-crt-utility-l1-1-0.dll	rand, srand, qsort
api-ms-win-crt-heap-l1-1-0.dll	realloc, _callnewh, free, _set_new_mode, malloc
api-ms-win-crt-convert-l1-1-0.dll	strtod, atoi, strtol
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file, _wremove
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	fmod, sqrtf, sinf, sqrt, pow, _dclass, floorf, __setusermatherr, ceilf, cosf, sin, cos, fmodf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
cJSON_AddArrayToObject	1	0x140055d30
cJSON_AddBoolToObject	2	0x140055920
cJSON_AddFalseToObject	3	0x140055840
cJSON_AddItemReferenceToArray	4	0x1400555b0
cJSON_AddItemReferenceToObject	5	0x140055630
cJSON_AddItemToArray	6	0x140055410
cJSON_AddItemToObject	7	0x140055570
cJSON_AddItemToObjectCS	8	0x140055590
cJSON_AddNullToObject	9	0x140055680
cJSON_AddNumberToObject	10	0x140055a10
cJSON_AddObjectToObject	11	0x140055c50
cJSON_AddRawToObject	12	0x140055b90
cJSON_AddStringToObject	13	0x140055ad0
cJSON_AddTrueToObject	14	0x140055760
cJSON_Compare	15	0x1400572c0
cJSON_CreateArray	16	0x140056970
cJSON_CreateArrayReference	17	0x140056820
cJSON_CreateBool	18	0x1400565a0
cJSON_CreateDoubleArray	19	0x140056c70
cJSON_CreateFalse	20	0x140056560
cJSON_CreateFloatArray	21	0x140056b30
cJSON_CreateIntArray	22	0x1400569f0
cJSON_CreateNull	23	0x1400564e0
cJSON_CreateNumber	24	0x1400565e0
cJSON_CreateObject	25	0x1400569b0
cJSON_CreateObjectReference	26	0x1400567d0
cJSON_CreateRaw	27	0x140056870
cJSON_CreateString	28	0x140056680
cJSON_CreateStringArray	29	0x140056da0
cJSON_CreateStringReference	30	0x140056780
cJSON_CreateTrue	31	0x140056520
cJSON_Delete	32	0x140053320
cJSON_DeleteItemFromArray	33	0x140055f20
cJSON_DeleteItemFromObject	34	0x1400560c0
cJSON_DeleteItemFromObjectCaseSensitive	35	0x140056150
cJSON_DetachItemFromArray	36	0x140055e80
cJSON_DetachItemFromObject	37	0x140055fb0
cJSON_DetachItemFromObjectCaseSensitive	38	0x140056030
cJSON_DetachItemViaPointer	39	0x140055e10
cJSON_Duplicate	40	0x140056ed0
cJSON_GetArrayItem	41	0x140055210
cJSON_GetArraySize	42	0x1400551f0
cJSON_GetErrorPtr	43	0x1400531e0
cJSON_GetNumberValue	44	0x140053210
cJSON_GetObjectItem	45	0x140055360
cJSON_GetObjectItemCaseSensitive	46	0x140055370
cJSON_GetStringValue	47	0x1400531f0
cJSON_HasObjectItem	48	0x140055380
cJSON_InitHooks	49	0x140053280
cJSON_InsertItemInArray	50	0x1400561e0
cJSON_IsArray	51	0x140057290
cJSON_IsBool	52	0x140057240
cJSON_IsFalse	53	0x140057220
cJSON_IsInvalid	54	0x140057210
cJSON_IsNull	55	0x140057260
cJSON_IsNumber	56	0x140057270
cJSON_IsObject	57	0x1400572a0
cJSON_IsRaw	58	0x1400572b0
cJSON_IsString	59	0x140057280
cJSON_IsTrue	60	0x140057230
cJSON_Minify	61	0x1400570d0
cJSON_Parse	62	0x1400541c0
cJSON_ParseWithLength	63	0x1400541f0
cJSON_ParseWithLengthOpts	64	0x140053f60
cJSON_ParseWithOpts	65	0x140053f30
cJSON_Print	66	0x140054340
cJSON_PrintBuffered	67	0x140054360
cJSON_PrintPreallocated	68	0x140054420
cJSON_PrintUnformatted	69	0x140054350
cJSON_ReplaceItemInArray	70	0x1400563a0
cJSON_ReplaceItemInObject	71	0x1400564c0
cJSON_ReplaceItemInObjectCaseSensitive	72	0x1400564d0
cJSON_ReplaceItemViaPointer	73	0x140056290
cJSON_SetNumberHelper	74	0x1400533a0
cJSON_SetValuestring	75	0x1400533e0
cJSON_Version	76	0x140053230
cJSON_free	77	0x1400575e0
cJSON_malloc	78	0x1400575d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:29:49
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\9HwMaWcccx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\9HwMaWcccx.exe"
Imagebase:	0x7ff69c2d0000
File size:	2'647'552 bytes
MD5 hash:	3F766BE1002F79CEF2A8B0656F18ECB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000000.1690163995.00007FF69C32E000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:29:49
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF69C308BC0 Relevance: 82.8, APIs: 33, Strings: 14, Instructions: 509filethreadCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69C308C02
GetTempPathW.KERNEL32 ref: 00007FF69C308C10
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C308CA3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308D44
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308DEB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308E31
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308E87

Part of subcall function 00007FF69C3085B0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF69C30CE7C,?,?,?,00007FF69C2D10DD), ref: 00007FF69C3085BB

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF69C308F06
GetCurrentThreadId.KERNEL32 ref: 00007FF69C308F0F
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69C308F1A
CreateFileW.KERNEL32 ref: 00007FF69C308F47
CloseHandle.KERNEL32 ref: 00007FF69C308F5A

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C308F7D
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69C308FC1
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69C309005
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30907A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C3090BA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C3090F6

Strings

ntoskrnl.exe, xrefs: 00007FF69C3092F5
\\.\Nal, xrefs: 00007FF69C308F40, 00007FF69C3092BA
[-] Failed to get temp path, xrefs: 00007FF69C308C86
[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF69C30938E
[<] Loading vulnerable driver, Name: , xrefs: 00007FF69C309036
[-] \Device\Nal is already in use., xrefs: 00007FF69C308F60
[-] Failed to load driver iqvw64e.sys, xrefs: 00007FF69C3093AC
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF69C3093A3
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF69C309364
gfff, xrefs: 00007FF69C308FCA
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF69C30925B
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF69C309379
[-] Failed to create vulnerable driver file, xrefs: 00007FF69C3091D7
[-] Can't find TEMP folder, xrefs: 00007FF69C3090D9

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_V01@@$rand$?setstate@?$basic_ios@_?uncaught_exception@std@@CloseCreateCurrentFileHandleOsfx@?$basic_ostream@_PathTempThreadXlength_error@std@@_time64memsetsrand
String ID: [!] Failed to ClearMmUnloadedDrivers$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver iqvw64e.sys$[-] Failed to register and start service for the vulnerable driver$[-] \Device\Nal is already in use.$[<] Loading vulnerable driver, Name: $\\.\Nal$gfff$ntoskrnl.exe
API String ID: 1183820329-3036430678
Opcode ID: f3ca22765dd96d4980d08333fac5d2135fde82723dfa3fed4ad6d1f93ad5340a
Instruction ID: 454325cf1060f81ef0820af0648df5168051260e8398181ff2b7816bef3c46ee
Opcode Fuzzy Hash: f3ca22765dd96d4980d08333fac5d2135fde82723dfa3fed4ad6d1f93ad5340a
Instruction Fuzzy Hash: E1328A22B18B4386EF20DB65E894BAD2371FB847A5F405279DA5D83AE8DF7CE045C740

Function 00007FF69C31FC10 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 255libraryloaderCOMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FC38
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FC52
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FC7C
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FCA7
std::_Facet_Register.LIBCPMT ref: 00007FF69C31FCC0
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FCDF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C31FD05
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FDD5
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF69C320BA2), ref: 00007FF69C31FE02
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C31FE31
InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C31FEDC
LoadLibraryA.KERNEL32 ref: 00007FF69C31FEF7
InitOnceComplete.KERNEL32 ref: 00007FF69C31FF09
LoadLibraryA.KERNEL32 ref: 00007FF69C31FF1E
GetProcAddress.KERNEL32 ref: 00007FF69C31FF2E

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C31FFA1

Strings

win32u.dll, xrefs: 00007FF69C31FF17
user32.dll, xrefs: 00007FF69C31FEF0
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C31FF27

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskInitLibraryLoadLockit@std@@Once$??0_??1_AddressBeginBid@locale@std@@CompleteD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@InitializeLocimp@12@ProcRegisterV42@@Vfacet@locale@2@_invalid_parameter_noinfo_noreturnabortmallocmemcpystd::_
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 160556041-2075034528
Opcode ID: 6206f280fa2dadfa05667c7e28cd3ff61d33ac5a3e47a52b561c85f5a158aaa0
Instruction ID: 7ad1b83a23bac2957835ba653375e21dd446254c0d775fdaab7517dd07d0b1ff
Opcode Fuzzy Hash: 6206f280fa2dadfa05667c7e28cd3ff61d33ac5a3e47a52b561c85f5a158aaa0
Instruction Fuzzy Hash: CAB19432A18B4289EB20DF25E8506B973B1FF48B94F444679DA5D87B98DF3CE551C340

Function 00007FF69C309FB0 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 201nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF69C309FEC
VirtualFree.KERNEL32 ref: 00007FF69C30A00B
VirtualAlloc.KERNEL32 ref: 00007FF69C30A020
NtQuerySystemInformation.NTDLL ref: 00007FF69C30A039
GetCurrentProcessId.KERNEL32 ref: 00007FF69C30A09A
VirtualFree.KERNEL32 ref: 00007FF69C30A0D8
memset.VCRUNTIME140 ref: 00007FF69C30A1DA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A214

Part of subcall function 00007FF69C3097B0: DeviceIoControl.KERNEL32 ref: 00007FF69C309818

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A273
VirtualFree.KERNEL32 ref: 00007FF69C30A2C5

Strings

[!] Failed to write driver name length, xrefs: 00007FF69C30A249
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF69C30A252
[!] Failed to find device_object, xrefs: 00007FF69C30A2A9
[!] Failed to find driver_object, xrefs: 00007FF69C30A29D
[!] Failed to find driver_section, xrefs: 00007FF69C30A291
[!] Failed to find driver name, xrefs: 00007FF69C30A285
[!] Failed to read driver name, xrefs: 00007FF69C30A1F7

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@Virtual$Free$??6?$basic_ostream@_InformationQuerySystemU?$char_traits@_V01@@W@std@@@std@@$AllocControlCurrentDeviceProcessmemset
String ID: [!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 2853312854-3011715350
Opcode ID: d6fa9558a1ec9e9ce3207363581c8b2d953ecd88c2a007daeb6cafe5f5a7202d
Instruction ID: 16cc3f0eb418bc6253fba00729171d6290592b618648eeb7d1f732b423569dcf
Opcode Fuzzy Hash: d6fa9558a1ec9e9ce3207363581c8b2d953ecd88c2a007daeb6cafe5f5a7202d
Instruction Fuzzy Hash: 23819F62B18A4386FB30CF61A410BF923B1FF45B88F449579DA0E9B685DF3DE6568340

Function 00007FF69C2E8230 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 122libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E829B
LoadLibraryA.KERNEL32 ref: 00007FF69C2E82B3
InitOnceComplete.KERNEL32 ref: 00007FF69C2E82C5
LoadLibraryA.KERNEL32 ref: 00007FF69C2E82D6
GetProcAddress.KERNEL32 ref: 00007FF69C2E82E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E830D
InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E838F
LoadLibraryA.KERNEL32 ref: 00007FF69C2E83A7
InitOnceComplete.KERNEL32 ref: 00007FF69C2E83B9
LoadLibraryA.KERNEL32 ref: 00007FF69C2E83CA
GetProcAddress.KERNEL32 ref: 00007FF69C2E83DA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E8402

Strings

win32u.dll, xrefs: 00007FF69C2E82CF, 00007FF69C2E83C3
user32.dll, xrefs: 00007FF69C2E82AC, 00007FF69C2E83A0
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E82DF, 00007FF69C2E83D3

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: a7b5d91d4b089667b481ec26e39348db2a8c472a7952836f43e9dd7946d80ef3
Instruction ID: 8fa106a529337c508c3b03251d64a946b5c783ce41ed6f8b41ce8291ed211369
Opcode Fuzzy Hash: a7b5d91d4b089667b481ec26e39348db2a8c472a7952836f43e9dd7946d80ef3
Instruction Fuzzy Hash: 8E515C36A18B4286FB60DB25F8597A933F0FB88781F814179C68DC2660EF3CD55ACB50

Function 00007FF69C3020C0 Relevance: 23.5, APIs: 18, Instructions: 1037COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302248
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C30227B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C30231B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3023CF
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3023F8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302428
memset.VCRUNTIME140 ref: 00007FF69C30243E
memset.VCRUNTIME140 ref: 00007FF69C30244C
memset.VCRUNTIME140 ref: 00007FF69C302459
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C30295B
memset.VCRUNTIME140 ref: 00007FF69C302973
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302B59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302B7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302BBF

Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C303877
Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3038A6
Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3038D5

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C302FDB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C303002
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C303029
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3031CE

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: c3897166b1d3a0ea0604d310b974053e7eedf07446a2a2a20ae26c39f0b66823
Instruction ID: 94a44baf322da1e46a05645e0f1a896a48a32d2ae486ad6467af228127247540
Opcode Fuzzy Hash: c3897166b1d3a0ea0604d310b974053e7eedf07446a2a2a20ae26c39f0b66823
Instruction Fuzzy Hash: 71B2D173A087868AE765CF26D040ABD77B4FB48B84F05827AEE4993795DF39E451CB00

Function 00007FF69C305E20 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 194COMMON

Download Yara Rule

APIs

D3DCompile.D3DCOMPILER_43 ref: 00007FF69C305EBC
D3DCompile.D3DCOMPILER_43 ref: 00007FF69C306081
memset.VCRUNTIME140 ref: 00007FF69C3060F2

Part of subcall function 00007FF69C305C20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C305CB8

Strings

POSITION, xrefs: 00007FF69C305F22
cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; , xrefs: 00007FF69C305E8C
COLOR, xrefs: 00007FF69C305F3E
TEXCOORD, xrefs: 00007FF69C305F30
@, xrefs: 00007FF69C306014
struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : , xrefs: 00007FF69C306051
main, xrefs: 00007FF69C305E80
ps_4_0, xrefs: 00007FF69C30605C
vs_4_0, xrefs: 00007FF69C305E97

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Compile$mallocmemset
String ID: @$COLOR$POSITION$TEXCOORD$cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; $main$ps_4_0$struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : $vs_4_0
API String ID: 2232712580-597721571
Opcode ID: 5c7398ce29c9e2931983064d89c1f0186134ba1673e67ec17b3ea0538dbe8722
Instruction ID: 494b16e369b66d98f3e66a2440e0f3f9c3b8831fa65363b002928597221cc06b
Opcode Fuzzy Hash: 5c7398ce29c9e2931983064d89c1f0186134ba1673e67ec17b3ea0538dbe8722
Instruction Fuzzy Hash: D8B131B6A18B86C9E720CF25E8447A977B4F788B88F804176DA8C87B19DF7CD155CB40

Function 00007FF69C31F770 Relevance: 18.2, APIs: 12, Instructions: 228COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000010,00007FF69C31F2C0), ref: 00007FF69C31F7AD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C31F7DE
FindResourceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F85D
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F871
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F87F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F893
FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F90A
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F922

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F934
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F94C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31F9AF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF69C31F2C0), ref: 00007FF69C31FA01

Part of subcall function 00007FF69C3135E0: _CxxThrowException.VCRUNTIME140(?,?,?,?,00007FF69C31FA55), ref: 00007FF69C3135FC

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Resource$ByteCharFindLoadLockMultiSizeofWide$Concurrency::cancel_current_taskExceptionThrow_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 3753685364-0
Opcode ID: b117465dd90b5a9717c96b62bcaf3c687e7899dcdbeb2fabf024ccb5ccbfb89f
Instruction ID: 3a0cb4da810014de7469220432c357049c1b393ea904d0ed857675f953b884fa
Opcode Fuzzy Hash: b117465dd90b5a9717c96b62bcaf3c687e7899dcdbeb2fabf024ccb5ccbfb89f
Instruction Fuzzy Hash: 8571CD22B09A038AEF249B19A454A7962F1FF8CBD0F088579DA5E87794EF3CF4518740

Function 00007FF69C2F9910 Relevance: 15.8, APIs: 10, Instructions: 843COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F9A57
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2F9FE2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FA012
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FA4C4
memcpy.VCRUNTIME140 ref: 00007FF69C2FA4E7
memcpy.VCRUNTIME140 ref: 00007FF69C2FA502
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FA528
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FA556
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FA597
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FA5C2

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: f4da77536be1bdc4ffe0e6d79d87927b8148b87442f45c6e089df47601a85981
Instruction ID: 03140d6f44b79e0b0323df0f394cac6d2dbd53d76991efd3483f8205a983de07
Opcode Fuzzy Hash: f4da77536be1bdc4ffe0e6d79d87927b8148b87442f45c6e089df47601a85981
Instruction Fuzzy Hash: 20727A12E2CBE949D3228736504227AA7E1EF6E784F19D323ED49A67A1DF3DD442D700

Function 00007FF69C2E8140 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E81AA
LoadLibraryA.KERNEL32 ref: 00007FF69C2E81C2
InitOnceComplete.KERNEL32 ref: 00007FF69C2E81D4
LoadLibraryA.KERNEL32 ref: 00007FF69C2E81E5
GetProcAddress.KERNEL32 ref: 00007FF69C2E81F5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E821B

Strings

win32u.dll, xrefs: 00007FF69C2E81DE
user32.dll, xrefs: 00007FF69C2E81BB
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E81EE

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 56a515e5839327eebcfedade987c5b43f4af7a5b22193b01bfd2392b10779272
Instruction ID: bc3e47bc96b3f3feb483ca3ad69ab5ca2a287e2c22083c0d2c92dfa7365ef4be
Opcode Fuzzy Hash: 56a515e5839327eebcfedade987c5b43f4af7a5b22193b01bfd2392b10779272
Instruction Fuzzy Hash: F0212836A08B4286FB60DB25F85976933F0FB88781F814079C68DC2660DF3DD906CB50

Function 00007FF69C329FD0 Relevance: 13.6, APIs: 9, Instructions: 140nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF69C32A000
VirtualFree.KERNEL32 ref: 00007FF69C32A020
VirtualAlloc.KERNEL32 ref: 00007FF69C32A036
NtQuerySystemInformation.NTDLL ref: 00007FF69C32A051
VirtualFree.KERNEL32 ref: 00007FF69C32A072
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF69C32A105
VirtualFree.KERNEL32 ref: 00007FF69C32A161
VirtualFree.KERNEL32 ref: 00007FF69C32A1A3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C32A1DD

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: ff801125d33d93c01ba1703f824679680a0391c8b4a0e3ab84952f2e5c8981ee
Instruction ID: 7ca642534b8d4799ab55da8b4bbfe4c59abbf9901e9d22f62b9ae6315ec94dc2
Opcode Fuzzy Hash: ff801125d33d93c01ba1703f824679680a0391c8b4a0e3ab84952f2e5c8981ee
Instruction Fuzzy Hash: 9B51C522B1894342FF348B15E8207697371FB85BA0F448278DA5E876D8DE3DE5828780

Function 00007FF69C2FD2B0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD3A2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD3D0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD3FF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD42A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD628
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD656
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD685
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FD6B0

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 26582a4c628592cbcfc8a48c8ebba73374a329a7bd2dda49a3d2637efd342bc2
Instruction ID: 26a8f1b1c935a9608391991bf925d972e47fba5518046686efcf299d3d08ed1a
Opcode Fuzzy Hash: 26582a4c628592cbcfc8a48c8ebba73374a329a7bd2dda49a3d2637efd342bc2
Instruction Fuzzy Hash: 3EB1A522E28BCD45E223963750821F9E260AFBF3C5F2DDB23FD84756B29F6461D16640

Function 00007FF69C2F6F90 Relevance: 12.1, APIs: 8, Instructions: 90clipboardCOMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF69C2F6FEA

Part of subcall function 00007FF69C32A7E8: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FEF), ref: 00007FF69C32A7F8
Part of subcall function 00007FF69C32A7E8: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FEF), ref: 00007FF69C32A838

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F701B
OpenClipboard.USER32 ref: 00007FF69C2F7029

Part of subcall function 00007FF69C32A848: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FC0), ref: 00007FF69C32A858

GetClipboardData.USER32 ref: 00007FF69C2F7045
CloseClipboard.USER32 ref: 00007FF69C2F7053
GlobalLock.KERNEL32 ref: 00007FF69C2F706E
GlobalUnlock.KERNEL32 ref: 00007FF69C2F70D2
CloseClipboard.USER32 ref: 00007FF69C2F70D8

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Clipboard$CriticalSection$CloseEnterGlobal$DataInit_thread_footerLeaveLockOpenUnlockfree
String ID:
API String ID: 1560965594-0
Opcode ID: acb4545a513e3baa267c6548374ef3263a2c6403ac0f5ce6b961ea94f767b2b5
Instruction ID: 9d9d9b9cbcf75117dae96a9929663ae742bf9f097a3a707def93005e7e56a8d2
Opcode Fuzzy Hash: acb4545a513e3baa267c6548374ef3263a2c6403ac0f5ce6b961ea94f767b2b5
Instruction Fuzzy Hash: 13414FB0A1E68786FB649B25E96157532B1EF84BA1F8400B9D90EC37A1DF3CE595C300

Function 00007FF69C2F7100 Relevance: 12.1, APIs: 8, Instructions: 82clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF69C2F710B
GlobalAlloc.KERNEL32 ref: 00007FF69C2F717B
GlobalLock.KERNEL32 ref: 00007FF69C2F718C
GlobalUnlock.KERNEL32 ref: 00007FF69C2F71DE
EmptyClipboard.USER32 ref: 00007FF69C2F71E4
SetClipboardData.USER32 ref: 00007FF69C2F71F2
GlobalFree.KERNEL32 ref: 00007FF69C2F7200
CloseClipboard.USER32 ref: 00007FF69C2F7206

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 6dc8cbfd0d85f3debe7ab90655b5a92a5789fed19d4e9b2fb2c5f500d39e8e7a
Instruction ID: 5a5e85f766ec1d7f9e4628711b4b587fe9c8f425b596227d50639529b09fe0c5
Opcode Fuzzy Hash: 6dc8cbfd0d85f3debe7ab90655b5a92a5789fed19d4e9b2fb2c5f500d39e8e7a
Instruction Fuzzy Hash: 4531CE25A096878AEB309F25E56463AB3B0FF48FA1F084575DA4E87798DE3CE4468700

Function 00007FF69C300A70 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C300C4D
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C300CC5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C300DB7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C300E7B

Strings

(, xrefs: 00007FF69C300FCD

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: e2378b058971f1e54282aec88b23a402023655f3edc0078a29b4db5263802532
Instruction ID: 08e57bdc79b6b306eedbbb23e5157e023f813377c7c544b876e5d55031514faa
Opcode Fuzzy Hash: e2378b058971f1e54282aec88b23a402023655f3edc0078a29b4db5263802532
Instruction Fuzzy Hash: C612B433924BC986D312CF3684425ACB361FF6E788B19D716EA4973665DF34B0A1D740

Function 00007FF69C2FFBD0 Relevance: 9.9, APIs: 6, Instructions: 859COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FFDDE
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FFE68
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FFEF5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FFF82
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C30004B
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C30088D

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: ffc6f50f49e59fd7a3d3b0ab99e13c79188829b4529bfdddbf72d00557d1fba4
Instruction ID: 37c0610698f72264bcfe5f81aeb219b1d2427e42174f614f2f4d8645c1c700d7
Opcode Fuzzy Hash: ffc6f50f49e59fd7a3d3b0ab99e13c79188829b4529bfdddbf72d00557d1fba4
Instruction Fuzzy Hash: 78926B33920B889AD712CF3785814A8B760FFAD788719DB16EB4963761DB34F1A4DB00

Function 00007FF69C32B410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FF69C2E5548), ref: 00007FF69C32B426
GetLastError.KERNEL32 ref: 00007FF69C32B471
IsDebuggerPresent.KERNEL32 ref: 00007FF69C32B489
OutputDebugStringW.KERNEL32 ref: 00007FF69C32B49A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF69C32B493

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 266c74991c935b7eee68aaaafa82ac235d33bcf4181f426e3e516c6d94611a2c
Instruction ID: 605be86a1b1561a5e00c500a0a22fefe96496c0504a2970477cc7bede0cd1465
Opcode Fuzzy Hash: 266c74991c935b7eee68aaaafa82ac235d33bcf4181f426e3e516c6d94611a2c
Instruction Fuzzy Hash: 6D116A32A14B43A7EB249B22DAA6B7933B0FB04345F504179C60D82A90EF3CE0A5C790

Function 00007FF69C2FC690 Relevance: 7.8, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FC71A
memset.VCRUNTIME140 ref: 00007FF69C2FC80A
memset.VCRUNTIME140 ref: 00007FF69C2FC823
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FC8A0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FCADF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FCB29

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: freemallocmemset
String ID:
API String ID: 3809226132-0
Opcode ID: 2caac80cac68e181eb0364134566a3c5761f34e7a28b17c7a6cd57d5d644a967
Instruction ID: 3652972ca11362c7cc0045f7ec6dbf9eb1f645ae7ae27db6d6ae5b3ffe3ef7e9
Opcode Fuzzy Hash: 2caac80cac68e181eb0364134566a3c5761f34e7a28b17c7a6cd57d5d644a967
Instruction Fuzzy Hash: E6D1B332A09ACA86E736CF26D1452B9B3B4FF98784F099631DA4D93364EF38E551D700

Function 00007FF69C3087A0 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF69C3087E9
_Init_thread_footer.LIBCMT ref: 00007FF69C30881E

Part of subcall function 00007FF69C32A7E8: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FEF), ref: 00007FF69C32A7F8
Part of subcall function 00007FF69C32A7E8: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FEF), ref: 00007FF69C32A838

_Init_thread_footer.LIBCMT ref: 00007FF69C30889A

Part of subcall function 00007FF69C32A848: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FC0), ref: 00007FF69C32A858

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInit_thread_footer$HeapLeaveProcess
String ID:
API String ID: 3391058595-0
Opcode ID: ff4af8a18ca60028971987facc0615fe84555cad6128b65eba5ef2afa1a93182
Instruction ID: dd80227ac7d0f1b4aeebb30be399c9feead37ae3eaafb2d613845ebab03661e7
Opcode Fuzzy Hash: ff4af8a18ca60028971987facc0615fe84555cad6128b65eba5ef2afa1a93182
Instruction Fuzzy Hash: F93192E1D1AA8386FA30DB24E8906B433B4EF55320FD442B9C55DC22A1DF3CB5A6C780

Function 00007FF69C2FE320 Relevance: 4.2, APIs: 3, Instructions: 425COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C2FBCD0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE26
Part of subcall function 00007FF69C2FBCD0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE53
Part of subcall function 00007FF69C2FBCD0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE7A
Part of subcall function 00007FF69C2FBCD0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE9D

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FE808

Part of subcall function 00007FF69C2FD750: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FD811

Part of subcall function 00007FF69C2FCD30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FCE48

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FE7C0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FE7E1

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: 6854198ddea0d9d97a554b2aae38291e8304f680f2822303275fdeafbac32a3b
Instruction ID: bfa15acc780c61ad567a6710b2fe8f3cba1c2fb6fd019a6ed51fd218e38b48bc
Opcode Fuzzy Hash: 6854198ddea0d9d97a554b2aae38291e8304f680f2822303275fdeafbac32a3b
Instruction Fuzzy Hash: 6212AE32A18B998AE321CB35D5416BD77B4FB5D784F058326EE88A7754EF38E490DB00

Function 00007FF69C3050D0 Relevance: 3.1, APIs: 2, Instructions: 633COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF69C3052EB
memcpy.VCRUNTIME140 ref: 00007FF69C3052FF

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: eb9c73f8496ae1f70285df806dce288dcdcf1ce95c0ab818ad38923df86f1223
Instruction ID: c959e808f83c109bd5db8c3619662a808b84253d19b6592a960bcf8a2ed9bebe
Opcode Fuzzy Hash: eb9c73f8496ae1f70285df806dce288dcdcf1ce95c0ab818ad38923df86f1223
Instruction Fuzzy Hash: 7962F876604A868ADB34DF2AD9846ED7771FB88B88F458226DF0D87B24CF38D565C700

Function 00007FF69C2FCD30 Relevance: 2.7, APIs: 2, Instructions: 222COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FCE48
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FD099

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 8f4ee996a432824188153c76822893e50cbe4264620a9717a4ea7d801bf0618e
Instruction ID: 34d9c5a36e5cd25d42dc9765e35fe364b671f9e4bdc03fe3a053b39c05c4c88f
Opcode Fuzzy Hash: 8f4ee996a432824188153c76822893e50cbe4264620a9717a4ea7d801bf0618e
Instruction Fuzzy Hash: 2A91E232A186C68AEB31CB3A95017B9B760FF99784F14D332DA4DA3756EF38E0419700

Function 00007FF69C2F139F Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

$, xrefs: 00007FF69C2F13A4

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c877872a515b1d6a4b006e85291a0190f757b99a8b98aeadd2f1842d9ae7f89a
Instruction ID: 345bf4ed09e7ca077173fdfa9084ea7392027e9ba86ae32bb55ef2138f279f48
Opcode Fuzzy Hash: c877872a515b1d6a4b006e85291a0190f757b99a8b98aeadd2f1842d9ae7f89a
Instruction Fuzzy Hash: CD12C533A046CA9BE35ACE3A86413E9B7B0FF59744F489735DB19A7251DF34B4A09B00

Function 00007FF69C3097B0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF69C309818

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: ff0296e3800f32b0881de1ff52e45b9d6db9dc186ae3b92e7ffce593567a8f7d
Instruction ID: f7586833349c03196ebe612ac79100feeabdbf70e68584808859b8a6e73f2d92
Opcode Fuzzy Hash: ff0296e3800f32b0881de1ff52e45b9d6db9dc186ae3b92e7ffce593567a8f7d
Instruction Fuzzy Hash: 67112A36A1CB8182EB60CF10A4597AD33E4FB08390F92817DDAAC46711CF3A9956C740

Function 00007FF69C303380 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF69C3033BE

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID: ..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-3803095028
Opcode ID: d9e5ab4b637f8e77f77e16112f8d867fd2f129ec2ab4ac719343e7a2171ecb36
Instruction ID: 0ee4e67cc496873c1593af1c77f63204da07e83b4a0ddec0d92c51b2b7bf4eba
Opcode Fuzzy Hash: d9e5ab4b637f8e77f77e16112f8d867fd2f129ec2ab4ac719343e7a2171ecb36
Instruction Fuzzy Hash: 53D1F4337086C885D755CF2EC8C5A78BBD6E795F09B4EC169CE89C23A5EA39C446C360

Function 00007FF69C2FDE20 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69C2FDE7A

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 729f67153a6c02736e551ac0f5ffdc8412e46b85653d77a8c06f8dd622f7fa21
Instruction ID: 971cd0839be7ddd54756a4baefc6fbe24b9c6066bbdbb6bdd3b9304e82a411e7
Opcode Fuzzy Hash: 729f67153a6c02736e551ac0f5ffdc8412e46b85653d77a8c06f8dd622f7fa21
Instruction Fuzzy Hash: A4613BA361C2E70AE3764B3C655127E6EE0F75D384F1C92B8FA8AD6B85CD3CD9019640

Function 00007FF69C2FDB70 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69C2FDBDA

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c0985f67179dd7b26a864b9182dca4d0cee335b76681cc00b9140182c6323499
Instruction ID: 4e289de0f7bba6e2814d2df5237ac6a0abd7767a76d7e3d7170991e1047cd342
Opcode Fuzzy Hash: c0985f67179dd7b26a864b9182dca4d0cee335b76681cc00b9140182c6323499
Instruction Fuzzy Hash: C7610773B1C7E68AE7258F38A504A79BEB4E789305F0982B5DA8CC7B45CE2ED001D710

Function 00007FF69C3077C0 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b8f3e11e6f41aadea5f7c1f271008c7fbb170fb2af1cf317950ec5c253979f
Instruction ID: 37cb025a8fd14d82f09136eb817f1613302bca20f72c0e821367f9db86dc6158
Opcode Fuzzy Hash: 41b8f3e11e6f41aadea5f7c1f271008c7fbb170fb2af1cf317950ec5c253979f
Instruction Fuzzy Hash: 1A12D723D18B8D86E223CA3790425B97760EF7F3C4F28DB26FE55765A2DF2571918A00

Function 00007FF69C2F2BA0 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9b19d8da00be8a65c3e7db262014b27844155b05bd5ef6e3d80c727e1a38d7
Instruction ID: c509d8bbf12419f487d1e8b03d8206388835f7bb63fbe45dabdc892994d03a3e
Opcode Fuzzy Hash: aa9b19d8da00be8a65c3e7db262014b27844155b05bd5ef6e3d80c727e1a38d7
Instruction Fuzzy Hash: 73D19833C18A9F89F272963741421B873A0EF3F745F1D9B73E948B62A2DF297195A500

Function 00007FF69C2F5070 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11dbbbbe5c6562b380ec59dc0386fa5a8a855f3f721cb70c028e0666f8a3081
Instruction ID: 252200ee10f69b7e5a2ad40b3dca1a8197cf8e4cfb5a9bf3c9695e91e2099c29
Opcode Fuzzy Hash: c11dbbbbe5c6562b380ec59dc0386fa5a8a855f3f721cb70c028e0666f8a3081
Instruction Fuzzy Hash: B7A11973D0A34F8AE677953752027BD66A0EF2A780F18CB76DD0DB2691DF2970946A00

Function 00007FF69C2FAB50 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78562730acf955196f8ff354621768ab3c1d3198a917e8d32a8c6953e924357a
Instruction ID: c0d03c6e4e037f4689ae124d046a4c8152a55f2e8f95c27315dee0b5eb2eae01
Opcode Fuzzy Hash: 78562730acf955196f8ff354621768ab3c1d3198a917e8d32a8c6953e924357a
Instruction Fuzzy Hash: 69A1D333A18AC9CEE711CF2A90411BDBBB0FB59345F158225EF89626A5DF38B585DB00

Function 00007FF69C2F85B0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3559cf259b55d21c8b349bfb0ed6358f7cb0f05fdab1c56cea628709367ec4c2
Instruction ID: 9002f46dadba2be4d6935038c2c9ef1ae2b8c3c09d8b187d432d27f542d30a33
Opcode Fuzzy Hash: 3559cf259b55d21c8b349bfb0ed6358f7cb0f05fdab1c56cea628709367ec4c2
Instruction Fuzzy Hash: 2751E8A66284B547DF608F2AD9816BC77A1E386B43FD480B6D659C2F91C63DC109EF20

Function 00007FF69C2E7245 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9163c28c7e41d9de57337ba7f208092a3a89567fee3f0caecd6913ec5a24e9
Instruction ID: 9a44482842d70ade06b55c040f4cde295ebcc4d544acf05cdb7e356527aaa4dd
Opcode Fuzzy Hash: 6f9163c28c7e41d9de57337ba7f208092a3a89567fee3f0caecd6913ec5a24e9
Instruction Fuzzy Hash: 3241F8A3B1478647DF08CB79B8262B96668D7D9BC4F949436DB4E877E1DE2CE201C300

Function 00007FF69C303E40 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2aaafbd25cd13b6e1f9b35cc9b40f7938a55a5b7433b574255b6fd89e927077
Instruction ID: 88de894b0bd78144075df2ac90ac8f9f615ba419c528c2c94a1eb3c95dd446e1
Opcode Fuzzy Hash: d2aaafbd25cd13b6e1f9b35cc9b40f7938a55a5b7433b574255b6fd89e927077
Instruction Fuzzy Hash: EA41C323A4D35A46E571D62351809796372EFAE780F58C77AEE4C77A84DF38F4858600

Function 00007FF69C2E9AB0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b55a79a8ae3e224c98202bc6dc5e93cc5692f62471ac231e40af0b904b1dc66
Instruction ID: 2612a292bc3ceede29ececa63032d68a61139e1bce73ef04b223e1a64bb52206
Opcode Fuzzy Hash: 8b55a79a8ae3e224c98202bc6dc5e93cc5692f62471ac231e40af0b904b1dc66
Instruction Fuzzy Hash: A631083773865747EB58C634DA22BBC26A1E345340FC9A57AEE5AD76C2DE2DD450C300

Function 00007FF69C2E696A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 62605c598576aef86bb619f29d2fb551c9466e11c5832594cf952a9f2882699e
Instruction ID: 551cf42e375953d57296d0ee0dc9611a1575aa49ea0d1e7de22bcab7a7ffc9de
Opcode Fuzzy Hash: 62605c598576aef86bb619f29d2fb551c9466e11c5832594cf952a9f2882699e
Instruction Fuzzy Hash: A011828071534E47FE94A76AB9692E6D251DB49FC0B08B032DF0D9B75AEE1CE1018300

Function 00007FF69C2E5CD7 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 4c693e3ca04d3f432d60e074b487dffc5f1757b5b730d138431a185616c0d3d9
Instruction ID: 4fbe0b97ac9558f24f61400b2c6d41cd155efb2617201c4b522ba54c67627921
Opcode Fuzzy Hash: 4c693e3ca04d3f432d60e074b487dffc5f1757b5b730d138431a185616c0d3d9
Instruction Fuzzy Hash: 5D116D4072A34E4BFE90EB6BA5352A6D251EB88BC0B0C7036DF0E9B781ED2CE150C300

Function 00007FF69C2E585C Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 29a2a04d7093babeafb4ebb6dcec55dfb8a248905fc0f5f263e870319ae44d93
Instruction ID: 7f2c818b798308c1db5165d3cbfdc574489a7b7af39b333b82a6f245f6c6ebd7
Opcode Fuzzy Hash: 29a2a04d7093babeafb4ebb6dcec55dfb8a248905fc0f5f263e870319ae44d93
Instruction Fuzzy Hash: EA012C4171A35E4BED94AB6B65362B6D2559B88FC0B5D707ACF4E8B741ED2CD041C300

Function 00007FF69C2E57A5 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 4fd6e8a155a838319057d8e45aa4d943befe4e16bb66ec6b5d8daa1d77b11433
Instruction ID: a5c5603a4f8907191533ebc2b236e651f1502e61c4cf94d6d3c2819dabc74cbb
Opcode Fuzzy Hash: 4fd6e8a155a838319057d8e45aa4d943befe4e16bb66ec6b5d8daa1d77b11433
Instruction Fuzzy Hash: BD01808170939942FDA4E6A6A8711B66621DB8CFC0B44B032CF0E9BB4ADD2CD142C240

Function 00007FF69C2E650B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 1fc07cafffd7efdf5df8025b1480e7de11e1acee288810e102436a8496ef3ec2
Instruction ID: 92fd0c1842fcc47f29b2f4d6cc0c5cb5c466d36658d820e3d48224068d705fbe
Opcode Fuzzy Hash: 1fc07cafffd7efdf5df8025b1480e7de11e1acee288810e102436a8496ef3ec2
Instruction Fuzzy Hash: 15010C9572924E47ED9CE766A97A2369252A78CBC0B50F03ADE8F9B345DD2CE001C300

Function 00007FF69C2E66E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: d6a845ae21399a0a1e998132fb6c690883b8ac1f85b94a2ff59dd2db94b41b88
Instruction ID: b1b1ee581591635af4f9ec0781f95a61cccab01a5ca52fd38e6805683a784f42
Opcode Fuzzy Hash: d6a845ae21399a0a1e998132fb6c690883b8ac1f85b94a2ff59dd2db94b41b88
Instruction Fuzzy Hash: AB01C04471474A47ED98EB67A57217A9211EB8CFC0B48B037CF4E97B45DD2CE000C300

Function 00007FF69C2E6124 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 8ad0e72bb74499bc48361be9328125688ae2867693181a642736b184a502b303
Instruction ID: 964e5c3141fddcaa3dae9f9c4f4039328aa653b88360d7e9751ac9349cbfa3e3
Opcode Fuzzy Hash: 8ad0e72bb74499bc48361be9328125688ae2867693181a642736b184a502b303
Instruction Fuzzy Hash: BF01929571934A07FD98E6675935376D252AB8CBC0F08F036DE0E9F749DC2CE0018200

Function 00007FF69C2E65BC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 5f9134c652ff3cd74a6d24e8e2477f3d5bdc7e5dfd38898e940047b9440e2627
Instruction ID: 18518be8d83c348df3a0d2fc8183bd5c7a6c6bd25ff793ced7138ee2c4673ba0
Opcode Fuzzy Hash: 5f9134c652ff3cd74a6d24e8e2477f3d5bdc7e5dfd38898e940047b9440e2627
Instruction Fuzzy Hash: 7301BC14B2934F4BEE84AB67A4711B6D260EB89FC0B4C3072CE0E8B751ED2CE0018300

Function 00007FF69C2E6D5E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: e51d829709baa367232d561226ca047d48346dcab32a10564c37a8f46f8db4ed
Instruction ID: 12c4b1518f695eab226b2db368d4b5608687ba963458e1e3cbfccf69265a6612
Opcode Fuzzy Hash: e51d829709baa367232d561226ca047d48346dcab32a10564c37a8f46f8db4ed
Instruction Fuzzy Hash: 3A017C11B4C55642EE18E7A6B8761B6A225EB8CF80B49B032EE0FD7B85CE1CD552C344

Function 00007FF69C2E6E05 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7a8f4e2c4ac60da26ae19f9b9f2302483b6f3b7689048352e6841a58f69b62cd
Instruction ID: 693a7d8075268cec2ea28b81be87be58c62bfdc389e5a8587cdd063561146bd2
Opcode Fuzzy Hash: 7a8f4e2c4ac60da26ae19f9b9f2302483b6f3b7689048352e6841a58f69b62cd
Instruction Fuzzy Hash: F901361172974F4BED98AB6AA4752B65360DB48BC0B583036DE4E97746DD2CE541C304

Function 00007FF69C2E61DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: df00c9a0010770d2f121cbc5e0522742c3dce75b20311e2a2a4bf3b76a269271
Instruction ID: d82e883189ab8d54ea9a81d6b1e53297d6ad2799ce2a6fdc12a4fd1c53cecdac
Opcode Fuzzy Hash: df00c9a0010770d2f121cbc5e0522742c3dce75b20311e2a2a4bf3b76a269271
Instruction Fuzzy Hash: B0012854B1925642FD94EBA66572176A221FB8CFC4B48B037EE4FA7B45CD6DE502C200

Function 00007FF69C2E62F1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7e8405c8f6ceda93b0ac242c38a26ac18f079162abb1355dac40cccdc6752647
Instruction ID: a8064710862d247fed404fea42dc6f02e4f22b7343de858f734e03a6bf4241a9
Opcode Fuzzy Hash: 7e8405c8f6ceda93b0ac242c38a26ac18f079162abb1355dac40cccdc6752647
Instruction Fuzzy Hash: 6101628171924A43FD98E766A9652769226FB8CBC0F44E032DD4EDB799DD2CE4018200

Function 00007FF69C2E709B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: a336093dbe45dd36b0b0928b26fbed1b0f5448e955a0d63f06a136650774b1de
Instruction ID: f0bb8e207749909efb47d1ba9bc6c651224ef5fba44d04936fea90b7254668cd
Opcode Fuzzy Hash: a336093dbe45dd36b0b0928b26fbed1b0f5448e955a0d63f06a136650774b1de
Instruction Fuzzy Hash: 01016951B0964646EE68EB96B4761B69221EF88FC0B48B036DE0E9B796DE2CD4528300

Function 00007FF69C2E6A3F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: 7510da3d8d73d4f5a775c75310f625e6070a33f984a63c581dc140fc9721fff6
Instruction ID: b068fe682943bbbf3e360cd61babe805aaaf6ad55c4186e4e1c4892d3b10ae02
Opcode Fuzzy Hash: 7510da3d8d73d4f5a775c75310f625e6070a33f984a63c581dc140fc9721fff6
Instruction Fuzzy Hash: 73F0620171E64B46ED98E77AB87A2761290DBC8FC0F54343BDE0F93782DD2CE0419204

Function 00007FF69C2E5F95 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID:
API String ID: 1232333743-0
Opcode ID: b404ea848cb3f30f47cb64cca5bd17c6ec4ca0bd62c8fe8c5867cbd788f72080
Instruction ID: 120c40acf544dc5a62f83d23653eb032a40715becc19e7bce9688b56fba6369a
Opcode Fuzzy Hash: b404ea848cb3f30f47cb64cca5bd17c6ec4ca0bd62c8fe8c5867cbd788f72080
Instruction Fuzzy Hash: DCF01905B5C55242FD54E7A6B8711BAA220EFC8FC4F486072EF4F97B55DD5DD8028240

Function 00007FF69C322AE0 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 251registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C308A30: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308B85

Part of subcall function 00007FF69C30E930: memcpy.VCRUNTIME140 ref: 00007FF69C30EA2E
Part of subcall function 00007FF69C30E930: memcpy.VCRUNTIME140 ref: 00007FF69C30EA3E

RegCreateKeyW.ADVAPI32 ref: 00007FF69C322BC0
RegSetKeyValueW.ADVAPI32 ref: 00007FF69C322C05
RegCloseKey.ADVAPI32 ref: 00007FF69C322C13

Part of subcall function 00007FF69C3085B0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF69C30CE7C,?,?,?,00007FF69C2D10DD), ref: 00007FF69C3085BB

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C322C36
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C322C81
RegSetKeyValueW.ADVAPI32 ref: 00007FF69C322CAB
RegCloseKey.ADVAPI32 ref: 00007FF69C322CB9
RegCloseKey.ADVAPI32 ref: 00007FF69C322CCB
GetModuleHandleA.KERNEL32 ref: 00007FF69C322CD8
GetProcAddress.KERNEL32 ref: 00007FF69C322CF4
GetProcAddress.KERNEL32 ref: 00007FF69C322D07
RtlInitUnicodeString.NTDLL ref: 00007FF69C322D84
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF69C322DAF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF69C322DBA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C322DCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C322E18
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C322E87
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C322EDB

Strings

4, xrefs: 00007FF69C322D58
Type, xrefs: 00007FF69C322CA2
ntdll.dll, xrefs: 00007FF69C322CD1
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF69C322D61
ImagePath, xrefs: 00007FF69C322BF8
[+] NtLoadDriver Status 0x, xrefs: 00007FF69C322D92
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF69C322B54
[-] Can't create 'Type' registry value, xrefs: 00007FF69C322CBF
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF69C322C19
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF69C322D23
NtLoadDriver, xrefs: 00007FF69C322CFD
[-] Can't create service key, xrefs: 00007FF69C322BCD
RtlAdjustPrivilege, xrefs: 00007FF69C322CEA
\??\, xrefs: 00007FF69C322B96

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$Close$AddressProcV01@@Valuememcpy$CreateHandleInitModuleStringUnicodeV21@@Vios_base@1@Xlength_error@std@@
String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 35767437-3793529226
Opcode ID: 8c8f8f8de1409ed279bd99139388e33a24275795a02349f672a106b53c08b3c8
Instruction ID: 17330f7814e0db9c0c18190f220177240fae9b337316f995b4540cf84d06d03c
Opcode Fuzzy Hash: 8c8f8f8de1409ed279bd99139388e33a24275795a02349f672a106b53c08b3c8
Instruction Fuzzy Hash: 95C19022B18B4395FF20DF65E854BAC2371EB447A8F400679DA5D87AA9DF3CE156C380

Function 00007FF69C322F20 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 178registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF69C322F54
RtlInitUnicodeString.NTDLL ref: 00007FF69C322FC7
RegOpenKeyW.ADVAPI32 ref: 00007FF69C323025
RegCloseKey.ADVAPI32 ref: 00007FF69C32303E
GetProcAddress.KERNEL32 ref: 00007FF69C32304E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF69C323079
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF69C323084
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C323094
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C3230BB
RegDeleteKeyW.ADVAPI32 ref: 00007FF69C3230D6
RegDeleteKeyW.ADVAPI32 ref: 00007FF69C3230F5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C32313C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C323191

Strings

\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF69C322FA4
ntdll.dll, xrefs: 00007FF69C322F4D
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF69C322FFB
NtUnloadDriver, xrefs: 00007FF69C323044
", xrefs: 00007FF69C322FF2
[+] NtUnloadDriver Status 0x, xrefs: 00007FF69C32305C
[-] Driver Unload Failed!!, xrefs: 00007FF69C32309E

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$DeleteV01@@_invalid_parameter_noinfo_noreturn$AddressCloseHandleInitModuleOpenProcStringUnicodeV21@@Vios_base@1@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 961365364-3977549460
Opcode ID: 54b23a0635b4d3e1588b0ccd67acf59b548978fd5d9e287339531727917d93f7
Instruction ID: 969769ae5171c170f2a87138fd699570edb35a44b8937d5a4e63062adc15d9b6
Opcode Fuzzy Hash: 54b23a0635b4d3e1588b0ccd67acf59b548978fd5d9e287339531727917d93f7
Instruction Fuzzy Hash: D671A261B08A4385EF20DF65E8657AC2375FB487A9F400679DA5D837A8DF3CE156C380

Function 00007FF69C309B40 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C309C10
_Init_thread_footer.LIBCMT ref: 00007FF69C309C24
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C309C50
GetModuleHandleA.KERNEL32 ref: 00007FF69C30D36C
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30D394

Part of subcall function 00007FF69C32A848: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FC0), ref: 00007FF69C32A858

Part of subcall function 00007FF69C30CD20: memmove.VCRUNTIME140(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CD51

Part of subcall function 00007FF69C309C80: memset.VCRUNTIME140 ref: 00007FF69C309CDA
Part of subcall function 00007FF69C309C80: VirtualAlloc.KERNEL32 ref: 00007FF69C309D79
Part of subcall function 00007FF69C309C80: VirtualFree.KERNEL32 ref: 00007FF69C309DB0

Strings

[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF69C30D3D5
ntdll.dll, xrefs: 00007FF69C30D365
[!] Failed to find ExAllocatePool, xrefs: 00007FF69C309C33
[-] Failed to load ntdll.dll, xrefs: 00007FF69C30D377
NtAddAtom, xrefs: 00007FF69C30D3BD, 00007FF69C30D440
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF69C30D4C2
ExFreePool, xrefs: 00007FF69C309BAF
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF69C30D50C

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocCriticalEnterFreeHandleInit_thread_footerModuleSection_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExFreePool$NtAddAtom$[!] Failed to find ExAllocatePool$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 1491483727-3600435281
Opcode ID: 9ea48ab024706c640348cc1030df36bdd4d2fdfa6a55cc9a4b0829c51a063e34
Instruction ID: 47a40ec485269ecca36015a47b01efe3134313922024c7c7dc48ed2be624725c
Opcode Fuzzy Hash: 9ea48ab024706c640348cc1030df36bdd4d2fdfa6a55cc9a4b0829c51a063e34
Instruction Fuzzy Hash: B69189A2E18B8384FA20DB65E850AB823B1FB45794F8041BAD94DC77A9DF3CE555C700

Function 00007FF69C30A465 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30A530
_Init_thread_footer.LIBCMT ref: 00007FF69C30A544
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A570
GetModuleHandleA.KERNEL32 ref: 00007FF69C30D7CC
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30D7F4

Part of subcall function 00007FF69C32A848: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FC0), ref: 00007FF69C32A858

Part of subcall function 00007FF69C30CD20: memmove.VCRUNTIME140(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CD51

Part of subcall function 00007FF69C309C80: memset.VCRUNTIME140 ref: 00007FF69C309CDA
Part of subcall function 00007FF69C309C80: VirtualAlloc.KERNEL32 ref: 00007FF69C309D79
Part of subcall function 00007FF69C309C80: VirtualFree.KERNEL32 ref: 00007FF69C309DB0

Strings

[-] Failed to get export ntdll.NtAddAtom, xrefs: 00007FF69C30D835
ntdll.dll, xrefs: 00007FF69C30D7C5
[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF69C30A553
ExReleaseResourceLite, xrefs: 00007FF69C30A4CF
[-] Failed to load ntdll.dll, xrefs: 00007FF69C30D7D7
NtAddAtom, xrefs: 00007FF69C30D81D, 00007FF69C30D8A0
[-] Failed to get export ntoskrnl.NtAddAtom, xrefs: 00007FF69C30D922
[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!, xrefs: 00007FF69C30D96C

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_U?$char_traits@_V01@@VirtualW@std@@@std@@$AllocCriticalEnterFreeHandleInit_thread_footerModuleSection_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExReleaseResourceLite$NtAddAtom$[!] Failed to find ExReleaseResourceLite$[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!$[-] Failed to get export ntdll.NtAddAtom$[-] Failed to get export ntoskrnl.NtAddAtom$[-] Failed to load ntdll.dll$ntdll.dll
API String ID: 1491483727-1591343369
Opcode ID: c7421b1905650238f33c583406f79c59bac505d884456a94b9dda55dac15c886
Instruction ID: 5b043280e139cf7b36b9643afde370ae4b45cd3aa35074c29b7172a23da208df
Opcode Fuzzy Hash: c7421b1905650238f33c583406f79c59bac505d884456a94b9dda55dac15c886
Instruction Fuzzy Hash: 29919BA2E18A8385FB20CB65E850AB923B1FF44BD4F8041B9D95DC7BA9DF2CE555C700

Function 00007FF69C309460 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C3094B0
CloseHandle.KERNEL32 ref: 00007FF69C3094C3

Part of subcall function 00007FF69C308BC0: memset.VCRUNTIME140 ref: 00007FF69C308C02
Part of subcall function 00007FF69C308BC0: GetTempPathW.KERNEL32 ref: 00007FF69C308C10
Part of subcall function 00007FF69C308BC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C308D44

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30951A
memset.VCRUNTIME140 ref: 00007FF69C309549

Part of subcall function 00007FF69C30C590: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF69C30C5C3
Part of subcall function 00007FF69C30C590: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF69C30C5E2
Part of subcall function 00007FF69C30C590: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF69C30C614
Part of subcall function 00007FF69C30C590: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF69C30C630
Part of subcall function 00007FF69C30C590: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69C30C674

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69C30956A
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69C3095B3
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF69C3095F1
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30962A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69C309657
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF69C309676
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF69C3096B7
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF69C3096C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C309701

Strings

[+] Vul driver data destroyed before unlink, xrefs: 00007FF69C309614
[!] Error dumping shit inside the disk, xrefs: 00007FF69C30960B
[<] Unloading vulnerable driver, xrefs: 00007FF69C309493

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_V01@W@std@@@std@@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@_?setstate@?$basic_ios@V01@@memsetrand$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@?write@?$basic_ostream@CloseD@std@@@1@_HandleInit@?$basic_streambuf@Osfx@?$basic_ostream@_PathTempV12@V?$basic_streambuf@_wremove
String ID: [!] Error dumping shit inside the disk$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 3605567200-4078119036
Opcode ID: 04015fc62118697d0bd704791e383b52ba0d3f3f30d02b8c65b4d049dd5ea74f
Instruction ID: 1cd321fb5f244c69756868845a4325559d244eae4cc61c00384742d5ef5214c7
Opcode Fuzzy Hash: 04015fc62118697d0bd704791e383b52ba0d3f3f30d02b8c65b4d049dd5ea74f
Instruction Fuzzy Hash: C171E322B18B4382EF20DB25E4656BD63B1FB84B95F40417ADA5D87BA9DF3CE046C740

Function 00007FF69C3098F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF69C309973
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF69C309996
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C3099A6
DeviceIoControl.KERNEL32 ref: 00007FF69C309A16
DeviceIoControl.KERNEL32 ref: 00007FF69C309A97
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF69C309ABA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C309ACA
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF69C309B16
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C309B26

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

Strings

[!] Failed to unmap IO space of physical address 0x, xrefs: 00007FF69C309AA8
[-] Failed to map IO space of 0x, xrefs: 00007FF69C309B04
[-] Failed to translate virtual address 0x, xrefs: 00007FF69C309984

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$ControlDeviceV01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@_
String ID: [!] Failed to unmap IO space of physical address 0x$[-] Failed to map IO space of 0x$[-] Failed to translate virtual address 0x
API String ID: 105665925-3202290428
Opcode ID: 6f782b2515961118e4cb08fad0a7f8ebbe193728f19ef8ba88626ca5e7920a9f
Instruction ID: 0de6546fdd12670729dccf1563b0387aca9db87988d8ed925e9cd901714e721b
Opcode Fuzzy Hash: 6f782b2515961118e4cb08fad0a7f8ebbe193728f19ef8ba88626ca5e7920a9f
Instruction Fuzzy Hash: CF517B32B18B8285EB20CF61E850BAA33B5FB48B88F004579DA8D57B58DF3CD115C744

Function 00007FF69C2E77C0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E782C
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7844
InitOnceComplete.KERNEL32 ref: 00007FF69C2E7856
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7867
GetProcAddress.KERNEL32 ref: 00007FF69C2E7877
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E789D
__std_exception_copy.VCRUNTIME140 ref: 00007FF69C2E78D4

Strings

win32u.dll, xrefs: 00007FF69C2E7860
user32.dll, xrefs: 00007FF69C2E783D
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E7870

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProc__std_exception_copyabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 3611760927-2075034528
Opcode ID: 68c0ad8eca54f24009388a16de90c6ddd6b821698b0ad1d92dfb723cf04d5a86
Instruction ID: ebf58b841233f44efc27544cd1ddf78b0cc983cf6ad300bac85c52dcdbda9696
Opcode Fuzzy Hash: 68c0ad8eca54f24009388a16de90c6ddd6b821698b0ad1d92dfb723cf04d5a86
Instruction Fuzzy Hash: 3B314B72A19B4282FB60DF21E86976933B0FB48B81F858179CA8CC6360EF3CD556C740

Function 00007FF69C2E7AD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E7B50
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7B68
InitOnceComplete.KERNEL32 ref: 00007FF69C2E7B7A
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7B8B
GetProcAddress.KERNEL32 ref: 00007FF69C2E7B9B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E7BC1

Strings

win32u.dll, xrefs: 00007FF69C2E7B84
user32.dll, xrefs: 00007FF69C2E7B61
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E7B94

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 3e99b4fd1f0d374628fd349c6983a4f35987022aefdc7b68754240e1105ec8ef
Instruction ID: 39a1d966dfd52644942b3bb509689bee912bc4e2bebcea0571f400b051f236d7
Opcode Fuzzy Hash: 3e99b4fd1f0d374628fd349c6983a4f35987022aefdc7b68754240e1105ec8ef
Instruction Fuzzy Hash: E5314C76A08B0286FB60DB25E8697A933B1FB88B80F814079D64DC7760DF3CD556CB50

Function 00007FF69C2E7490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E750E
LoadLibraryA.KERNEL32 ref: 00007FF69C2E752D
InitOnceComplete.KERNEL32 ref: 00007FF69C2E753F
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7554
GetProcAddress.KERNEL32 ref: 00007FF69C2E7564
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E75D6

Strings

win32u.dll, xrefs: 00007FF69C2E754D
user32.dll, xrefs: 00007FF69C2E7526
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E755D

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 1014e5866cf53d62de73f16328be5b6e52e63ab505fe26a94db0acde3b228d26
Instruction ID: cab893fd3526dd4e27fb25bd0ca234bf34c5caea4d2603ce33dafbbaca18ea7f
Opcode Fuzzy Hash: 1014e5866cf53d62de73f16328be5b6e52e63ab505fe26a94db0acde3b228d26
Instruction Fuzzy Hash: AA318D32B18A4286EB64CB21E8A576A73B1FB88794F818175C64DC7764DF3CE506CB40

Function 00007FF69C2E76D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E773B
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7753
InitOnceComplete.KERNEL32 ref: 00007FF69C2E7765
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7776
GetProcAddress.KERNEL32 ref: 00007FF69C2E7786
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E77AD

Strings

win32u.dll, xrefs: 00007FF69C2E776F
user32.dll, xrefs: 00007FF69C2E774C
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E777F

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 4a6d971e0c6d4fc0afe1107218f48c08d750f701fd81c5f2d4fc75ba6f57087e
Instruction ID: c812639f3f447ddbeba63a82361b682e4baa1ebf417b263f875900d32fdcd214
Opcode Fuzzy Hash: 4a6d971e0c6d4fc0afe1107218f48c08d750f701fd81c5f2d4fc75ba6f57087e
Instruction Fuzzy Hash: 32213D36A18B4286FB60DF21E86976933F0FB84781F814079D68DC2660DF3CD506CB40

Function 00007FF69C2E75E0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceBeginInitialize.KERNEL32 ref: 00007FF69C2E764D
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7665
InitOnceComplete.KERNEL32 ref: 00007FF69C2E7677
LoadLibraryA.KERNEL32 ref: 00007FF69C2E7688
GetProcAddress.KERNEL32 ref: 00007FF69C2E7698
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C2E76C2

Strings

win32u.dll, xrefs: 00007FF69C2E7681
user32.dll, xrefs: 00007FF69C2E765E
NtOpenCompositionSurfaceSectionInfo, xrefs: 00007FF69C2E7691

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: InitLibraryLoadOnce$AddressBeginCompleteInitializeProcabort
String ID: NtOpenCompositionSurfaceSectionInfo$user32.dll$win32u.dll
API String ID: 1232333743-2075034528
Opcode ID: 975f7dfe4b6231862f22f558be773e794d79dc79bda7a6ec454155d447f6e363
Instruction ID: eaeb162a572a9ef28adccec71ab453fa0bdc3f9925722336e09fd6c9bba9aa2e
Opcode Fuzzy Hash: 975f7dfe4b6231862f22f558be773e794d79dc79bda7a6ec454155d447f6e363
Instruction Fuzzy Hash: 59213936A18B4286FB60DB25E8697A933F0FB88781F814179C59DC2760EF3DD51ACB40

Function 00007FF69C320B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF69C31F2EE), ref: 00007FF69C320B0B
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF69C320B72
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF69C320B93
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF69C320C17
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF69C320C9F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69C320CE5

Strings

vector too long, xrefs: 00007FF69C320B04

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@Xlength_error@std@@
String ID: vector too long
API String ID: 4055594487-2873823879
Opcode ID: 289753b1327d946c7d8af21f843086a37c3a7aa4e17b1f5116c0d64e2d8d5285
Instruction ID: e8682bc0e3c6b75417aa720b0b50c29bb9fbda8d136c01056f1685e686fb8dfb
Opcode Fuzzy Hash: 289753b1327d946c7d8af21f843086a37c3a7aa4e17b1f5116c0d64e2d8d5285
Instruction Fuzzy Hash: 8F518D72A08A9291EF20DF1AE4A06396BB0FB84F95F558579CE5E87764CF3CD846C340

Function 00007FF69C30AD50 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30AD93

Part of subcall function 00007FF69C3097B0: DeviceIoControl.KERNEL32 ref: 00007FF69C309818

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30ADF4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30AE88

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

Strings

[-] Can't find pattern, Too big section, xrefs: 00007FF69C30ADA9
[-] No module address to find pattern, xrefs: 00007FF69C30AD76
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF69C30ADDE
[-] Can't find pattern, xrefs: 00007FF69C30AE72

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@@$?setstate@?$basic_ios@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@_
String ID: [-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 2892813601-521562947
Opcode ID: fc7aa4657cecb5f6b697d79f95434399437788edefec97881a8352b0add2d873
Instruction ID: 886dd0ea6f0785a461a98b01302405bd410929c72c02381268209ad954930c5d
Opcode Fuzzy Hash: fc7aa4657cecb5f6b697d79f95434399437788edefec97881a8352b0add2d873
Instruction Fuzzy Hash: D641B262A1CA8381EE30CB25B864AB973B2EF45BC5F4415B9D95E87795DF3CE602C300

Function 00007FF69C309C80 Relevance: 12.2, APIs: 8, Instructions: 196memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69C309CDA

Part of subcall function 00007FF69C3097B0: DeviceIoControl.KERNEL32 ref: 00007FF69C309818

VirtualAlloc.KERNEL32 ref: 00007FF69C309D79
VirtualFree.KERNEL32 ref: 00007FF69C309DB0
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF69C309E56
VirtualFree.KERNEL32 ref: 00007FF69C309EBC
VirtualFree.KERNEL32 ref: 00007FF69C309F3B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C309F77
VirtualFree.KERNEL32 ref: 00007FF69C309F89

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Virtual$Free$AllocControlDevice_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID:
API String ID: 2498276250-0
Opcode ID: df5a3ca042de00123afa96b5a90819324af7b7ebf9bbf5d772b2fa7c5cd8ce57
Instruction ID: 368c5ffd7b7c4f20e7f4c554a1b56625ccb3487532ab885e605548ceed4ce068
Opcode Fuzzy Hash: df5a3ca042de00123afa96b5a90819324af7b7ebf9bbf5d772b2fa7c5cd8ce57
Instruction Fuzzy Hash: 26817362B18B4286EB70CB65E850B6D67B1FB45BD4F104279DA9D87B98DF3CE481C700

Function 00007FF69C2FF020 Relevance: 11.4, APIs: 9, Instructions: 139COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF058
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF087
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF0B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF0F1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF120
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF155
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FF1DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FF218
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FF273

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9ae3793ff93c918e1b12437427f832123660c5cc30c3c70939ad6d92a1a5d4ca
Instruction ID: db093b160eb5a1583e3fe7cd59eba758f757fdf392c181f86e8cbc6dd56e2e2f
Opcode Fuzzy Hash: 9ae3793ff93c918e1b12437427f832123660c5cc30c3c70939ad6d92a1a5d4ca
Instruction Fuzzy Hash: FF61153660978685EB25CF25E59027933F4FB84B84F0945B6CE4D87799CF78E890D350

Function 00007FF69C2F6880 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F68D5
memcpy.VCRUNTIME140 ref: 00007FF69C2F68EA
memchr.VCRUNTIME140 ref: 00007FF69C2F6985
memchr.VCRUNTIME140 ref: 00007FF69C2F69A1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F6A95

Strings

], xrefs: 00007FF69C2F6962
Window, xrefs: 00007FF69C2F69BA

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: cec71d9599e5b557407d5e902833d7de308e748c899d20101c0e8ccc1e973371
Instruction ID: c88d57d5ab6041952b215d2c85977020e22a320798200023a51ddde1c9b87298
Opcode Fuzzy Hash: cec71d9599e5b557407d5e902833d7de308e748c899d20101c0e8ccc1e973371
Instruction Fuzzy Hash: C4510722B0D68B89EB318B26A61427967B1FF45BC4F4881B6DE4D87B95CF3CE542D300

Function 00007FF69C30E720 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF69C30E7B4
memmove.VCRUNTIME140 ref: 00007FF69C30E7FF
memcpy.VCRUNTIME140 ref: 00007FF69C30E817
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30E8B2

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

memcpy.VCRUNTIME140 ref: 00007FF69C30E8E8
memcpy.VCRUNTIME140 ref: 00007FF69C30E906
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E929

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3070920775-0
Opcode ID: eac2097aaaacec7241a1c6bd8cba1623e7a043d604d4cafde3e78e136bed875f
Instruction ID: c95372aa5ac1af13974e2f40657ccc3a3a993f6b4e520c25017b4a729e0ca08a
Opcode Fuzzy Hash: eac2097aaaacec7241a1c6bd8cba1623e7a043d604d4cafde3e78e136bed875f
Instruction Fuzzy Hash: FC519D33B04B8692EA20DB25E5586686370FB44BE4F544A39DBAD833D1DF3CE185C380

Function 00007FF69C30EA70 Relevance: 10.6, APIs: 7, Instructions: 137COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF69C30EAFD
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF69C30EB5A
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF69C30EB86
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 00007FF69C30EBC2
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69C30EBF6
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF69C30EBFD
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF69C30EC0A

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: 620e794b91e78fcbd2bc3072b30ce09b6dd0b1804bf714dc44df823586ecf130
Instruction ID: ce39985d2ddea18f50b3ecb7eb82987c49c01f8d4f7d8996aef34d89ff2f7a30
Opcode Fuzzy Hash: 620e794b91e78fcbd2bc3072b30ce09b6dd0b1804bf714dc44df823586ecf130
Instruction Fuzzy Hash: 94513026708A4281EB30CB5AE594639A770FB85FC5F15857ACE8F87BA4CF3DD5868340

Function 00007FF69C30CED0 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CF6C
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CFC9
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CFEC
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D00D
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 4072499529-0
Opcode ID: e502d62ed2ecd178e95b8050b1ba5a53fcd82dc1f7969ba0ee37df16e139e949
Instruction ID: 13e926cabdef8316380eb9c45c1d68c99dca3069293721fa3c145ee1c3db206e
Opcode Fuzzy Hash: e502d62ed2ecd178e95b8050b1ba5a53fcd82dc1f7969ba0ee37df16e139e949
Instruction Fuzzy Hash: 1B514023609A4282EB30CF1AE590A79A7B0FB84FD5F158579DE4E83BA0CF3DD4468341

Function 00007FF69C30AED0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C3097B0: DeviceIoControl.KERNEL32 ref: 00007FF69C309818

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30AF45

Part of subcall function 00007FF69C30CED0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CF6C
Part of subcall function 00007FF69C30CED0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CFC9
Part of subcall function 00007FF69C30CED0: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30CFEC
Part of subcall function 00007FF69C30CED0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D00D

memcmp.VCRUNTIME140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30AFD0

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,00007FF69C30A7D0), ref: 00007FF69C30B03C

Strings

PAGE, xrefs: 00007FF69C30AF5B, 00007FF69C30AFF5
[-] Can't read module headers, xrefs: 00007FF69C30AF2F
[-] Can't find section, xrefs: 00007FF69C30B026

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_?sputc@?$basic_streambuf@_V01@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_?uncaught_exception@std@@ControlDeviceOsfx@?$basic_ostream@_V12@memcmp
String ID: PAGE$[-] Can't find section$[-] Can't read module headers
API String ID: 3692731308-1129567509
Opcode ID: 6e3b07a73f03ec074dffb0840c6786065b745d5db442ecca66f903d67c9f505d
Instruction ID: 3d8c99c1c52e7f9eeac96946e9605beac8a912cf63ede53ce7ead03e877d8494
Opcode Fuzzy Hash: 6e3b07a73f03ec074dffb0840c6786065b745d5db442ecca66f903d67c9f505d
Instruction Fuzzy Hash: 21416C72A08AC381EA30CF15A8506BA63B1FB45BD8F441279EE9D83799DE7CE491C700

Function 00007FF69C30E190 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E1B8
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E1D2
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E1FC
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E227
std::_Facet_Register.LIBCPMT ref: 00007FF69C30E240
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E25F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E285

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: 78f09c4808e4aab4108a7444fa2a9336975894ac3f2dbec37947491c5d28706d
Instruction ID: 5c554dd7faa0134c95befefd2633cba88d684004dd47b599bd0e10ac2b0424d4
Opcode Fuzzy Hash: 78f09c4808e4aab4108a7444fa2a9336975894ac3f2dbec37947491c5d28706d
Instruction Fuzzy Hash: 5D316B22608B8281EE24DF15E85056A6770FB98FD1F4806B9DA9E837A5CF3CE542C740

Function 00007FF69C30E090 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0B8
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0D2
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0FC
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E127
std::_Facet_Register.LIBCPMT ref: 00007FF69C30E140
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E15F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E185

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 040452c5eb93cc914e82e5e49e024d30730fc81bf0a94898b50c11eea0834719
Instruction ID: 05aa8704f874852425ab59e49a1b2325b49c69c53a37e853248df40de5da158c
Opcode Fuzzy Hash: 040452c5eb93cc914e82e5e49e024d30730fc81bf0a94898b50c11eea0834719
Instruction Fuzzy Hash: 46314B22A08B8281EE24CF15E85056A6770FB98FD5B4806B9DA9E837A5DF3CE445C740

Function 00007FF69C2F6D60 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF69C2F6ED7

Strings

Collapsed=%d, xrefs: 00007FF69C2F6F3A
###, xrefs: 00007FF69C2F6ECD
[%s][%s], xrefs: 00007FF69C2F6EE1
Pos=%d,%d, xrefs: 00007FF69C2F6F01
Size=%d,%d, xrefs: 00007FF69C2F6F1E

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: c3311be36638c5c1300b420d40b5f67d67dfb19cf233c04f9cc181b4b226debe
Instruction ID: 54ac8ce7d30a95b5feaf61b430696d7bcec5a9cba160add1dee3ce7b3d487a50
Opcode Fuzzy Hash: c3311be36638c5c1300b420d40b5f67d67dfb19cf233c04f9cc181b4b226debe
Instruction Fuzzy Hash: BA51FE32A1868BCAEA24DF21D54187877B0FB49B80F0A8676DE4D87354DF38E951CB40

Function 00007FF69C30A5A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30A6DC
_Init_thread_footer.LIBCMT ref: 00007FF69C30A702
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A72E

Strings

[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF69C30A711
RtlLookupElementGenericTableAvl, xrefs: 00007FF69C30A67B

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@$??6?$basic_ostream@_Init_thread_footerU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 1815191494-1952825546
Opcode ID: f070e053a378668e9e6daf9e81185e11dfe6dee713a271421e5fdd4aa66afd06
Instruction ID: 177ac4c367672b188a7eab5f4ba312e532b7cc3b0cac27bce0eba136d9a3e3c5
Opcode Fuzzy Hash: f070e053a378668e9e6daf9e81185e11dfe6dee713a271421e5fdd4aa66afd06
Instruction Fuzzy Hash: 1041A262A1CB8782EA20DB54F850B697370FB847A4F504279EA9DC3BA5DF7CE145CB00

Function 00007FF69C2E8722 Relevance: 8.8, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF058
Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF087
Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF0B6
Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF0F1
Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF120
Part of subcall function 00007FF69C2FF020: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF69C2E873E), ref: 00007FF69C2FF155

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E8764
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E878F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E87B7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E87DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E8807
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E882F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E8857

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 420751157a29d6721770391d86d1ba1e03ac9792969dd9d40c1d14559da5df10
Instruction ID: e9ab10a2e1fe061b65b5986600c282447ab53426d643f8a6458a02378a4b7206
Opcode Fuzzy Hash: 420751157a29d6721770391d86d1ba1e03ac9792969dd9d40c1d14559da5df10
Instruction Fuzzy Hash: 9E310A25B0E64781EF269B26E59067923B1FF85B80F0D95B6CC0CD3391CF6CE840D260

Function 00007FF69C30A300 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-0000000A,00007FF69C30A9AD), ref: 00007FF69C30A410

Part of subcall function 00007FF69C32A848: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF69C2F6FC0), ref: 00007FF69C32A858

Part of subcall function 00007FF69C30CD20: memmove.VCRUNTIME140(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CD51

Part of subcall function 00007FF69C309C80: memset.VCRUNTIME140 ref: 00007FF69C309CDA
Part of subcall function 00007FF69C309C80: VirtualAlloc.KERNEL32 ref: 00007FF69C309D79
Part of subcall function 00007FF69C309C80: VirtualFree.KERNEL32 ref: 00007FF69C309DB0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30A3D0
_Init_thread_footer.LIBCMT ref: 00007FF69C30A3E4

Strings

ExAcquireResourceExclusiveLite, xrefs: 00007FF69C30A36F
[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF69C30A3F3

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: V01@Virtual$??6?$basic_ostream@_AllocCriticalEnterFreeInit_thread_footerSectionU?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 3554207627-2131800721
Opcode ID: 987cdaeedb75df2671c2ddd36fbfa290dc1d34582a0d199e2f2b36eb1194b640
Instruction ID: 9481850a1aef9577b920daa803316743f87d91ed014a4bcdc346e813c086dfaa
Opcode Fuzzy Hash: 987cdaeedb75df2671c2ddd36fbfa290dc1d34582a0d199e2f2b36eb1194b640
Instruction Fuzzy Hash: EA319E66A28A8381EE60CB14F4847B96371EF807E0F4051B9EA5DC7BA5DF3CE195C700

Function 00007FF69C301D50 Relevance: 7.6, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C301D87
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C301E48
memcpy.VCRUNTIME140 ref: 00007FF69C301E67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C301E8E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C301F56
memcpy.VCRUNTIME140 ref: 00007FF69C301F6C

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: malloc$memcpy$free
String ID:
API String ID: 2877244841-0
Opcode ID: 99101a029e3931ebd0bff7f07edbb22c2799ab2ff2675ba506e55ba0243ebe01
Instruction ID: 9ef07f8b0900cc32997ab57e28be55a85457963bae7f133779a4824725a39980
Opcode Fuzzy Hash: 99101a029e3931ebd0bff7f07edbb22c2799ab2ff2675ba506e55ba0243ebe01
Instruction Fuzzy Hash: C1615F32A09B8686EB65CF25D59037873B0FB99B44F089279DB8D87752DF78E4A1C340

Function 00007FF69C30C590 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF69C30C5C3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF69C30C5E2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF69C30C614
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF69C30C630

Part of subcall function 00007FF69C30CAD0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF69C30CAFA
Part of subcall function 00007FF69C30CAD0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF69C30CB22
Part of subcall function 00007FF69C30CAD0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69C30CB37

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69C30C674

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@Init@?$basic_streambuf@U_iobuf@@V?$basic_streambuf@Vlocale@2@
String ID:
API String ID: 3805387474-0
Opcode ID: 9e50329d0ed2b76c8a83bb2413259d04d0743f1b422989f9211208344c2e5ce6
Instruction ID: 4974c26ab3e0e9b8fcd36da970629c1b9efd25ccbae8eaeabcda1f32fe345020
Opcode Fuzzy Hash: 9e50329d0ed2b76c8a83bb2413259d04d0743f1b422989f9211208344c2e5ce6
Instruction Fuzzy Hash: BF210A32609B8286EB20CF29F86472A77B4FB89B99F448575DA8D83724DF3DD056C740

Function 00007FF69C2F7230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF69C2F7269
ImmSetCompositionWindow.IMM32 ref: 00007FF69C2F728F
ImmReleaseContext.IMM32 ref: 00007FF69C2F729B

Strings

, xrefs: 00007FF69C2F7287

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: bd41dc3b1a21754c399856f02b5a63202637db2bf43a2f86d2a60bb4a1944631
Instruction ID: 85f3d8d59526aa48f668ef4252b62feaf6384f8658458e614deb29711f08eb9c
Opcode Fuzzy Hash: bd41dc3b1a21754c399856f02b5a63202637db2bf43a2f86d2a60bb4a1944631
Instruction Fuzzy Hash: 78012C36A09B8286FA308B16B925669B7B0FB8CFD4F484179DE8D87755DF3CD4068B00

Function 00007FF69C306A20 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 425COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF69C306BA3
memchr.VCRUNTIME140 ref: 00007FF69C306C63
memchr.VCRUNTIME140 ref: 00007FF69C306D5E

Strings

..., xrefs: 00007FF69C306A25

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: 6ae29f569719afd09e3d7c8137f17c90db282c353453b05132969bcd5c2dc47f
Instruction ID: 0efe18a9eb57c89c1ca220b0f9ebc5cda11886468d31f8724adb52eaacfd8b73
Opcode Fuzzy Hash: 6ae29f569719afd09e3d7c8137f17c90db282c353453b05132969bcd5c2dc47f
Instruction Fuzzy Hash: 6222E733D0878A45E622CB3691417F9B370EF6E384F189735EE99726A5EF28B1C18740

Function 00007FF69C2F73E0 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F743E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F7475
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F74A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F74D1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F74F9

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7246dccd3372a298794f577b1f759a3fa7e1c16ec8c2c7e326251f819fbe6688
Instruction ID: 448ab717f47bd26e452c49008f70f66b34034c61211fa2b9116d0007cd197b27
Opcode Fuzzy Hash: 7246dccd3372a298794f577b1f759a3fa7e1c16ec8c2c7e326251f819fbe6688
Instruction Fuzzy Hash: CF310632B0EA8A89EB258F15E5A01793770FF84F84F4D85B6DA8D83395CF78E851D250

Function 00007FF69C2EB040 Relevance: 6.3, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2EB06E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2EB099
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2EB0C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2EB0EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2EB11A

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1d602680703cd000b14b8cf1d11bdb9b2841e342f0d06c031d770e24717ebcf9
Instruction ID: e5c209c38c59286ce7eff620544b43399a2584c129a883e69b8c30d7b7bc0c8b
Opcode Fuzzy Hash: 1d602680703cd000b14b8cf1d11bdb9b2841e342f0d06c031d770e24717ebcf9
Instruction Fuzzy Hash: C621E721B1E68780EF669B25E5906B92370FF85B80F0D95B6CD0DD73E1CF6DE8509228

Function 00007FF69C2FBCD0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE26
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE53
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE7A
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69C2FBE9D

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 5e5cd4a11bfff37083c96dd00609064da9770058553814cda130ad8ebf6cf672
Instruction ID: 5e28611003d763ce1c2e2e0fee0664d9954529b14de2c12045ae3f0224d2a9d5
Opcode Fuzzy Hash: 5e5cd4a11bfff37083c96dd00609064da9770058553814cda130ad8ebf6cf672
Instruction Fuzzy Hash: BD51E82291CBD689D3729F3551516BABBB0EF69341F458332EEC4A2755EF39E4818B00

Function 00007FF69C31FA60 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 00007FF69C31FB95
memset.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 00007FF69C31FB9E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF69C31FBA3
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000), ref: 00007FF69C31FBAF

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfomemcpymemset
String ID:
API String ID: 187659361-0
Opcode ID: 96ea3a2862079471f413f28ed0c0ad94d3c567491b4ba4a43eea5d972b644483
Instruction ID: 971db4f3d6f5d42db58d7d0a8d15c02be74482ae5360745dd2f74a2fd2318d70
Opcode Fuzzy Hash: 96ea3a2862079471f413f28ed0c0ad94d3c567491b4ba4a43eea5d972b644483
Instruction Fuzzy Hash: EF41B172B09A1686DB249B2EA45493D73B0FB88F84F558079DE1DC3B84DE3DE582C740

Function 00007FF69C30CD20 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CD51
memcpy.VCRUNTIME140(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CE16
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF69C2D10DD), ref: 00007FF69C30CE6A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30CE71

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemmove
String ID:
API String ID: 966911907-0
Opcode ID: 59f62306cccf0414aef45c8bf99f6cd9c7fab89346f110d71633b440c9604bb5
Instruction ID: 414f4de772c54b296f9fe33cf2626b8ff14e8e33a5614aa0eeab57f7adc8a03d
Opcode Fuzzy Hash: 59f62306cccf0414aef45c8bf99f6cd9c7fab89346f110d71633b440c9604bb5
Instruction Fuzzy Hash: C6410323B06A4745EE28DB39A5546782361EF04FE5F284675CE2D87BD5DE3CE482C341

Function 00007FF69C30E400 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF69C30E507
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30E54A
memcpy.VCRUNTIME140 ref: 00007FF69C30E554
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E58F

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: e3f58f6b00b0b1bdf5b4b1698d81981b4d36618b2a9122d9afc865046c52c7fc
Instruction ID: 20da0075d04040e69e10b4b15597913f4107fd3883caadc4e5d49d5c97f64e57
Opcode Fuzzy Hash: e3f58f6b00b0b1bdf5b4b1698d81981b4d36618b2a9122d9afc865046c52c7fc
Instruction Fuzzy Hash: 1441C123B09B4282EE24DB12A5146696275EB08BE4F540739DEBD87BD5EE3CE0418300

Function 00007FF69C30CBA0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00007FF69C308CD2), ref: 00007FF69C30CBDB
memcpy.VCRUNTIME140(?,?,00000000,00007FF69C308CD2), ref: 00007FF69C30CCBC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF69C308CD2), ref: 00007FF69C30CD05
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30CD12

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemmove
String ID:
API String ID: 966911907-0
Opcode ID: 43c1a81fde066b146ea4e8ce7d717cbff9077eb54f5f95f4ff25758fd690c3f8
Instruction ID: ac09bad4d2ea3bd85ceb04bc88f5ae927be7f4b2a83094319a94846ce0403f30
Opcode Fuzzy Hash: 43c1a81fde066b146ea4e8ce7d717cbff9077eb54f5f95f4ff25758fd690c3f8
Instruction Fuzzy Hash: 0531FD22B06A4755ED24EB2AE414AB82260EB04FF0F580778DE3E877C5DE7CE4828305

Function 00007FF69C30E5A0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?,00007FF69C320C88), ref: 00007FF69C30E67F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7FFFFFFFFFFFFFFF,?,?,00007FF69C320C88), ref: 00007FF69C30E6BC
memcpy.VCRUNTIME140(?,7FFFFFFFFFFFFFFF,?,?,00007FF69C320C88), ref: 00007FF69C30E6C6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E6F3

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b6d35e801518520863dc0aa0584f297c06ac2be2c9eb574a2afa92eabb3d525e
Instruction ID: 374d027861cfebc4a5de700544ad578de7221178b7254ddc844bc37afaf1191e
Opcode Fuzzy Hash: b6d35e801518520863dc0aa0584f297c06ac2be2c9eb574a2afa92eabb3d525e
Instruction Fuzzy Hash: 60412323B09B8695EE34DB2AA4146686361EF04BE0F180778DFAE477D5CF7CE4918300

Function 00007FF69C30E290 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF69C30E384
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30E3BC
memcpy.VCRUNTIME140 ref: 00007FF69C30E3C6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30E3EF

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 65b75e714d3b8d0f3d1d7ee04dfb391f2095745c26d83bc344aefc258cd6296b
Instruction ID: b453071060660b7a9059603bd566d48c20dd49747dcd9cc9e8ee7164d7f0ad6b
Opcode Fuzzy Hash: 65b75e714d3b8d0f3d1d7ee04dfb391f2095745c26d83bc344aefc258cd6296b
Instruction Fuzzy Hash: 7231D362B0974385EE34DB26A504679A761EB04BF0F184BBDDABE877D5DE7CE0428240

Function 00007FF69C30E930 Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69C30E9FD

Part of subcall function 00007FF69C32A2C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69C2D100E), ref: 00007FF69C32A2DA

memcpy.VCRUNTIME140 ref: 00007FF69C30EA2E
memcpy.VCRUNTIME140 ref: 00007FF69C30EA3E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69C30EA61

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 0aa88baf9d1b0420148692b2d0b85112af31a7731b3f12c46f8794b7596c522b
Instruction ID: a22eb5c7d57f48f0fafb423d79a0068c549c49402c3805cb1796bfd05875c82f
Opcode Fuzzy Hash: 0aa88baf9d1b0420148692b2d0b85112af31a7731b3f12c46f8794b7596c522b
Instruction Fuzzy Hash: 2D31AD22709B4694EE34DB16A510AB962A1FB49BF4F484B79DEBD877D4DE3CE042C340

Function 00007FF69C2F1AB0 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69C2F1B44
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69C2F1B56
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69C2F1B5E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2F1BC8

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: __acrt_iob_funcfclosefflushfree
String ID:
API String ID: 4015754604-0
Opcode ID: 6154950440daeff57409fd6645cf66fa9acaf76249c7e92c0318f2573f9051bb
Instruction ID: 064b2982ef680af8dd663329254542a8c7255074636c20872d135b25a31be457
Opcode Fuzzy Hash: 6154950440daeff57409fd6645cf66fa9acaf76249c7e92c0318f2573f9051bb
Instruction Fuzzy Hash: 79415A32A09A878AEB24CF21E2902A973B0FB44B84F484576DB5D87759DF3CE490E710

Function 00007FF69C30CAD0 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF69C30CAFA

Part of subcall function 00007FF69C30C960: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB1A), ref: 00007FF69C30C992
Part of subcall function 00007FF69C30C960: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00007FF69C30CB1A), ref: 00007FF69C30C9C0

?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF69C30CB22

Part of subcall function 00007FF69C30E090: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0B8
Part of subcall function 00007FF69C30E090: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0D2
Part of subcall function 00007FF69C30E090: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E0FC
Part of subcall function 00007FF69C30E090: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E127
Part of subcall function 00007FF69C30E090: std::_Facet_Register.LIBCPMT ref: 00007FF69C30E140
Part of subcall function 00007FF69C30E090: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF69C30CB31), ref: 00007FF69C30E15F

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69C30CB37
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF69C30CB52

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 890c33a33070d92169f86227836753d27bef9b29972b3ff5854962c0b540de06
Instruction ID: a0d2a9feec2e37af08ff8207e5f3a6db76765a80cef8488690bc48e12e149d69
Opcode Fuzzy Hash: 890c33a33070d92169f86227836753d27bef9b29972b3ff5854962c0b540de06
Instruction Fuzzy Hash: B1116D22B09A0381EE24DB26F454B6963B0EF89FC5F184479CE0E87795DE3CE445C740

Function 00007FF69C306534 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

SetCursorPos.USER32 ref: 00007FF69C3065B7
GetForegroundWindow.USER32 ref: 00007FF69C3065D1
GetCursorPos.USER32 ref: 00007FF69C3065E5
ScreenToClient.USER32 ref: 00007FF69C3065FB

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: Cursor$ClientForegroundScreenWindow
String ID:
API String ID: 958140035-0
Opcode ID: 6e8f34721c867209d0519b7d94c9320c8777613a3f7a4386faf320aada36a3a1
Instruction ID: 6df08316ee9d8b5c24c9279c6228229733fdc907944bc691ea27826caea340f6
Opcode Fuzzy Hash: 6e8f34721c867209d0519b7d94c9320c8777613a3f7a4386faf320aada36a3a1
Instruction Fuzzy Hash: 6F119333919AC38BEB31CF30E85296877B0FB84B55F488279DA4982695DF2CF546CB10

Function 00007FF69C2E8930 Relevance: 5.4, APIs: 4, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C2E94D0: memset.VCRUNTIME140(?,?,?,00007FF69C2E8968), ref: 00007FF69C2E959A
Part of subcall function 00007FF69C2E94D0: memset.VCRUNTIME140(?,?,?,00007FF69C2E8968), ref: 00007FF69C2E95EA

memset.VCRUNTIME140 ref: 00007FF69C2E8E0A

Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C303877
Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3038A6
Part of subcall function 00007FF69C303840: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C3038D5

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2E8EF0
memset.VCRUNTIME140 ref: 00007FF69C2E91D0
memset.VCRUNTIME140 ref: 00007FF69C2E9200

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: memset$free$malloc
String ID:
API String ID: 1393892039-0
Opcode ID: 60d92bec00438bc87a728e801c4a60b93ea8e573a61037852e23581e036a4998
Instruction ID: ce4882191d4a3576e00c24a9b2296d97d86af9492b1da04adbe4262d32f11c3b
Opcode Fuzzy Hash: 60d92bec00438bc87a728e801c4a60b93ea8e573a61037852e23581e036a4998
Instruction Fuzzy Hash: 3D32C073105BC186D3109F29A8441DA37E8F745F68F284B39DEA40BB98DF7481A2E778

Function 00007FF69C2E7A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF69C2E7A5B
GetWindowThreadProcessId.USER32 ref: 00007FF69C2E7A94

Strings

map/set too long, xrefs: 00007FF69C2E7A54

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: ProcessThreadWindowXlength_error@std@@
String ID: map/set too long
API String ID: 2154790705-558153379
Opcode ID: 3f882dff7f9f5ed8dd63ded600f097bfd59105ba55d1e0b4f333c4db4caa157b
Instruction ID: 081100bbf7b42e9de1f8f0a175c382bacb3615d14e73d5bf52357275dab08fca
Opcode Fuzzy Hash: 3f882dff7f9f5ed8dd63ded600f097bfd59105ba55d1e0b4f333c4db4caa157b
Instruction Fuzzy Hash: A2F06221B1C64382EA308B10F9611667370FB88BC4F540975DA5DC7B64DF7CE5518B40

Function 00007FF69C30A8A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A85B

Strings

[-] Warning PiDDBCacheTable not found, xrefs: 00007FF69C30A8B0
H, xrefs: 00007FF69C30A8AC

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V01@@
String ID: H$[-] Warning PiDDBCacheTable not found
API String ID: 2638164236-1616274805
Opcode ID: 9f526cb7130caad9e096388ba05874d29d53a9ef0e6f554d9c1838758932f8b8
Instruction ID: 0731d6d936948b62da55253fdc678165868db955f2c251082d6226bde49c21c5
Opcode Fuzzy Hash: 9f526cb7130caad9e096388ba05874d29d53a9ef0e6f554d9c1838758932f8b8
Instruction Fuzzy Hash: D4F0E226A1D68389EB60CB20E4259AC3375FB09794F9444BADE0D87241CF3CE147C301

Function 00007FF69C30A83D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69C30CED0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D056
Part of subcall function 00007FF69C30CED0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D05D
Part of subcall function 00007FF69C30CED0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF69C308C99), ref: 00007FF69C30D06A

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF69C30A85B

Strings

H, xrefs: 00007FF69C30A842
[-] Warning PiDDBLock not found, xrefs: 00007FF69C30A846

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V01@@
String ID: H$[-] Warning PiDDBLock not found
API String ID: 2638164236-2111066117
Opcode ID: 29e8c99416d67373702495dfe326165cd4479d8af38ccf263f688a6e1e6deb9c
Instruction ID: b49e3207922bb505487a2811fe439b12377a3b15dd5697ef07110045d2f77a58
Opcode Fuzzy Hash: 29e8c99416d67373702495dfe326165cd4479d8af38ccf263f688a6e1e6deb9c
Instruction Fuzzy Hash: 7DF0A026A1D6828AEB60DB20E4659AC33B5FF49798F9518BADE0D83355CF3CE547C301

Function 00007FF69C2FD750 Relevance: 5.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FD811
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FD87E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FDB22
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69C2FDB49

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: d99b7a0a0c198f3dabf9852f900858cf630b1c5d5bf12e7b70d6c1ac39cd914f
Instruction ID: 4c608fcf2fd14584e3cf5505fb3fa323154788ab0ec7b3de5cf80639a6449155
Opcode Fuzzy Hash: d99b7a0a0c198f3dabf9852f900858cf630b1c5d5bf12e7b70d6c1ac39cd914f
Instruction Fuzzy Hash: 79B19322A18B9989F721DF35944427EB7B4FF99B84F049332EE4992764DF78E442D700

Function 00007FF69C2F7930 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF69C2EDE8D), ref: 00007FF69C2F79AA
memcpy.VCRUNTIME140(?,?,00000000,00007FF69C2EDE8D), ref: 00007FF69C2F79C5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF69C2EDE8D), ref: 00007FF69C2F79EC
memmove.VCRUNTIME140(?,?,00000000,00007FF69C2EDE8D), ref: 00007FF69C2F7A15

Memory Dump Source

Source File: 00000000.00000002.2935996965.00007FF69C2D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69C2D0000, based on PE: true

Associated: 00000000.00000002.2935980164.00007FF69C2D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936041395.00007FF69C32E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C32F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936059418.00007FF69C3DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936246173.00007FF69C554000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2936261672.00007FF69C556000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69c2d0000_9HwMaWcccx.jbxd

Yara matches

Similarity

API ID: freemallocmemcpymemmove
String ID:
API String ID: 2074075965-0
Opcode ID: 1030ccab036599bd2654157e872b8165e26a8edb0f66a7670170499d2db33e5d
Instruction ID: 68595693179f92e0ece12cef4339bca1788c5a26ac00ca2f9e930d4b768f3b21
Opcode Fuzzy Hash: 1030ccab036599bd2654157e872b8165e26a8edb0f66a7670170499d2db33e5d
Instruction Fuzzy Hash: E0318E72B09A8A86EB24CB25E6601787371FB44FC4F08C076DA5D97799DE2CE891C340

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9HwMaWcccx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: 9HwMaWcccx.exePID: 7404, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
9HwMaWcccx.exe