Edit tour

Windows Analysis Report
Bzw4UJiXNj.exe

Overview

General Information

Sample name:	Bzw4UJiXNj.exe renamed because original name is a hash value
Original sample name:	4b61a3d79a892267bf6e76a54e188cc0.exe
Analysis ID:	1528625
MD5:	4b61a3d79a892267bf6e76a54e188cc0
SHA1:	e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA256:	6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
Tags:	64exetrojan
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bzw4UJiXNj.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\Bzw4UJiXNj.exe" MD5: 4B61A3D79A892267BF6E76A54E188CC0)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	JoeSecurity_MetasploitPayload	Yara detected Metasploit Payload	Joe Security
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	Windows_Trojan_Metasploit_24338919	Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon).	unknown	0xac9f:$a1: 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Avira: detection malicious, Label: TR/Patched.Gen2

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	Virustotal: Detection: 81%			Perma Link

Multi AV Scanner detection for submitted file

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Bzw4UJiXNj.exe

Joe Sandbox ML: detected

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/
Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Icon-https.exe.0.dr	String found in binary or memory: http://www.zeustech.net/

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Matched rule: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon). Author: unknown

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D8C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646D8C2F0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8F930	0_2_00007FF646D8F930
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D94928	0_2_00007FF646D94928
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9A4AC	0_2_00007FF646D9A4AC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3484	0_2_00007FF646DA3484
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D85E24	0_2_00007FF646D85E24
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA1F20	0_2_00007FF646DA1F20
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DACE88	0_2_00007FF646DACE88
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBC838	0_2_00007FF646DBC838
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D84840	0_2_00007FF646D84840
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2550	0_2_00007FF646DC2550
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D876C0	0_2_00007FF646D876C0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA53F0	0_2_00007FF646DA53F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9B534	0_2_00007FF646D9B534
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA21D0	0_2_00007FF646DA21D0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9F180	0_2_00007FF646D9F180
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8A310	0_2_00007FF646D8A310
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D8C2F0	0_2_00007FF646D8C2F0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D87288	0_2_00007FF646D87288
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9126C	0_2_00007FF646D9126C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC2080	0_2_00007FF646DC2080
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA8DF4	0_2_00007FF646DA8DF4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB0754	0_2_00007FF646DB0754
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2D58	0_2_00007FF646DA2D58
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9AF18	0_2_00007FF646D9AF18
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB8C1C	0_2_00007FF646DB8C1C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA4B98	0_2_00007FF646DA4B98
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9BB90	0_2_00007FF646D9BB90
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D95B60	0_2_00007FF646D95B60
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB89A0	0_2_00007FF646DB89A0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA3964	0_2_00007FF646DA3964
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D9C96C	0_2_00007FF646D9C96C
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5AF8	0_2_00007FF646DC5AF8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D81AA4	0_2_00007FF646D81AA4
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DA2AB0	0_2_00007FF646DA2AB0
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFA94	0_2_00007FF646DBFA94
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D91A48	0_2_00007FF646D91A48

Source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameab.exeF vs Bzw4UJiXNj.exe

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Matched rule: Windows_Trojan_Metasploit_24338919 os = windows, severity = x86, description = Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = ac76190a84c4bdbb6927c5ad84a40e2145ca9e76369a25ac2ffd727eefef4804, id = 24338919-8efe-4cf2-a23a-a3f22095b42d, last_modified = 2021-08-23

Source: Icon-https.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal96.troj.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D8B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF646D8B6D8

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DA8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF646DA8624

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: Bzw4UJiXNj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bzw4UJiXNj.exe	ReversingLabs: Detection: 66%
Source: Bzw4UJiXNj.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File read: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Section loaded: linkinfo.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Bzw4UJiXNj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bzw4UJiXNj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Bzw4UJiXNj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Bzw4UJiXNj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Bzw4UJiXNj.exe

Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Bzw4UJiXNj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6096718

Jump to behavior

Source: Bzw4UJiXNj.exe	Static PE information: section name: .didat
Source: Bzw4UJiXNj.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5156 push rsi; retf		0_2_00007FF646DC5157
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DC5166 push rsi; retf		0_2_00007FF646DC5167

Source: Icon-https.exe.0.dr

Static PE information: section name: .text entropy: 7.021725181628894

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646DAB190
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646D940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF646D940BC
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DBFCA0 FindFirstFileExA,	0_2_00007FF646DBFCA0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF646DB16A4

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Videos\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\Music\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	File opened: C:\Users\user\OneDrive\desktop.ini	Jump to behavior

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF646DB76D8

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC0D20 GetProcessHeap,

0_2_00007FF646DC0D20

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB76D8
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3354 SetUnhandledExceptionFilter,	0_2_00007FF646DB3354
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF646DB2510
Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe	Code function: 0_2_00007FF646DB3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646DB3170

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,PostMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646DAB190

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DC58E0 cpuid

0_2_00007FF646DC58E0

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF646DAA2CC

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646DB0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF646DB0754

Source: C:\Users\user\Desktop\Bzw4UJiXNj.exe

Code function: 0_2_00007FF646D951A4 GetVersionExW,

0_2_00007FF646D951A4

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	3 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bzw4UJiXNj.exe	67%	ReversingLabs	Win64.Trojan.CryptZMarte
Bzw4UJiXNj.exe	69%	Virustotal		Browse
Bzw4UJiXNj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	100%	Avira	TR/Patched.Gen2
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	84%	ReversingLabs	Win32.Backdoor.Swrort
C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe	82%	Virustotal		Browse

Source	Detection	Scanner	Link
http://www.zeustech.net/	0%	Virustotal	Browse
http://www.apache.org/	0%	Virustotal	Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal	Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Bzw4UJiXNj.exe, 00000000.00000003.2115529243.00000279499A2000.00000004.00000020.00020000.00000000.sdmp, Icon-https.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://www.apache.org/	Icon-https.exe.0.dr	false	0%, Virustotal, Browse	unknown
http://www.zeustech.net/	Icon-https.exe.0.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528625
Start date and time:	2024-10-08 05:08:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bzw4UJiXNj.exe renamed because original name is a hash value
Original Sample Name:	4b61a3d79a892267bf6e76a54e188cc0.exe
Detection:	MAL
Classification:	mal96.troj.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73802
Entropy (8bit):	6.32292825214426
Encrypted:	false
SSDEEP:	1536:IPoaiZ2dMsk7otVGNvoBGZ063+GsWOVMb+KR0Nc8QsJq39:W1c2dZtM68063fee0Nc8QsC9
MD5:	07E1BC43F53A20F738039F5BD8D081EC
SHA1:	8F6C6DD58009C7E87BCBE565D2D1702D77E70BA2
SHA-256:	62E57F61112880D6D11D3FD7E0FB6BEA47215A5041BD66B170BCE4EF4CE8BF60
SHA-512:	E3BD6A8F983AF417E2BD67BCCD6EBCF949C36A9115EBB1179BE96BEE9C43FB4B164D55BC3A67ED471450CE58E1664938A81DFAE1BF919846BFC52056168F405A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, Author: Joe Security Rule: JoeSecurity_MetasploitPayload, Description: Yara detected Metasploit Payload, Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, Author: Joe Security Rule: Windows_Trojan_Metasploit_24338919, Description: Identifies metasploit wininet reverse shellcode. Also used by other tools (like beacon)., Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84% Antivirus: Virustotal, Detection: 82%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ..Y...z...Y..._...Y..Rich.Y..................PE..L....<>J.............................?............@..........................`..............................................l...x....P...............................................................................................................text...f........................... ..`.rdata..............................@..@.data...\p.......@..................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.ico

Download File

Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	4.599798862733515
Encrypted:	false
SSDEEP:	384:J55555555555555555555555555555555555555555555555555555555555555V:/vmmmmmuRb+PtPdOvJ
MD5:	26C3AA5599218EB4B32C5A042F099320
SHA1:	5443FDA4FEC6F022B46DC54A73CAC835ECFD1B87
SHA-256:	17C8F8D74D73C1106E25CE25AEDE9408BEA3766E9B05B333DC3EA3DBCEB03C5C
SHA-512:	C90A9204749EC0C234E7DFEA93D12F199BFA275C11E55B2EACA23195E240E552DA1E085518C4025B0233A09640A870B3F0A051DF6CBF760DA910154982325CE1
Malicious:	false
Reputation:	low
Preview:	............ .(.......(............. ..........;...;....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.png

Download File

Process:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10713
Entropy (8bit):	7.50179523733628
Encrypted:	false
SSDEEP:	192:YzQMA0Eh3B9aSl7Kq+ZmpImcQORPMJ6aUbbRMQMzwySd5mIOumCU4B:YcN9j7KqNljJ5Ujmib
MD5:	1304E793E5FFC4A9508DD9D334F45BE4
SHA1:	05ABC3179625C6863828A5CFA5AD2A19AAE372D2
SHA-256:	E6C42A78E2A0A76DA607F8A3338A779670336B56100B92A618896D4209ED7DD8
SHA-512:	2A62FDA3ACA049E6A7C1ED31FA0A858D6B0F12F1F840E2D51CF75F3312B1421F7EFC02E32FF034E7DAB07BDC9A772820E685215AA42240F16241D26ECA9001A9
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............x....).IDATx...i.\.y..........g_8...k42d$H.........X....;.a... . o.....A...A..B6X......9+.}.....k.'...7{z....{...>...]o..y.:.=.......................................................Q.....3....&.v).}../.nI.].....R.qE:.PGMd.......:../L...~..v.T.g....M...............d+_...I....#.1.#.B......I.+S..._X.~3.......e........z..-...7.~..}~.H#....g.w.. ......k....\|.....W.../d..S.~g.KA..&....'."..>..._Z....<.....m...%.\....]..}....[.."..<..wo\|.(.S.u.....7^..U_.....g.3. ...w..Ed.>...W...?.....\|... ,.%..u-..D.)..x......Az.<.3.7. ,\|O<...G=..o...;......T.~U......8...w...?.\............u-...n........K...^[{.W.... .U.K.M... .~.........@:...:..@.....OK....@jl\|e..3.. .L..u].. ]..>'.........M..)......l,D:...@..5........t].. ..R... ...u].. ...}....M..u...t2&XM..)..^.5......%..W........u...........................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.694905962044059
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bzw4UJiXNj.exe
File size:	536'027 bytes
MD5:	4b61a3d79a892267bf6e76a54e188cc0
SHA1:	e1dc7ad66e65bf5ca6701eb224d11761c56b1288
SHA256:	6bff92bd6fb84f1a453ead8ef017b6ae42a78b7fbbbd6414ec8a9cd669bf3b05
SHA512:	4970d37d95accc39709886f45125a3059e58c4dc91dee46591737ad0279efb8f395625fff67a0daa30a6f8b29f79af13aeadf71c2b9f18844a2883e004b06884
SSDEEP:	12288:wyveQB/fTHIGaPkKEYzURNAwbAg6c0tY0BfYM:wuDXTIGaPhEYzUzA0L0thBfV
TLSH:	95B44A35EA9414B5F3FAD538945A8503E27D3C0DC228766A12F022661FF7B778B2B319
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	0b03084c4e4e0383

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FAE50B99F78h
dec eax
add esp, 28h
jmp 00007FAE50B9990Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007FAE50B98D93h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007FAE50B99AA3h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007FAE50B9BAB7h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FAE50B88323h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FAE50B9AB72h
int3
jmp 00007FAE50BA0D54h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x154f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x154f4	0x15600	3fc741d3ed0e5cdaebe6cc1c5f34a0a3	False	0.1883109466374269	data	5.3514803031072535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7109c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72648	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m			0.06374955637051934
RT_DIALOG	0x82e70	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x830f8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x83234	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x83320	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x83450	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x83788	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x839dc	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x83bc0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x83d8c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x83f44	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x8408c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x844f8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x84660	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x847b4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x848c0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x8497c	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x84b3c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x84d8c	0x14	data			1.15
RT_MANIFEST	0x84da0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	23:08:55
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\Bzw4UJiXNj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Bzw4UJiXNj.exe"
Imagebase:	0x7ff646d80000
File size:	536'027 bytes
MD5 hash:	4B61A3D79A892267BF6E76A54E188CC0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF646DAB190 Relevance: 127.4, APIs: 62, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D8255C: GetDlgItem.USER32 ref: 00007FF646D825AC
Part of subcall function 00007FF646D8255C: SetWindowTextW.USER32 ref: 00007FF646D825C8

EndDialog.USER32 ref: 00007FF646DAB2D0
SetDlgItemTextW.USER32 ref: 00007FF646DAB320
GetMessageW.USER32 ref: 00007FF646DAB350
IsDialogMessageW.USER32 ref: 00007FF646DAB369
TranslateMessage.USER32 ref: 00007FF646DAB37B
DispatchMessageW.USER32 ref: 00007FF646DAB389
EndDialog.USER32 ref: 00007FF646DAB3D3
GetDlgItem.USER32 ref: 00007FF646DAB410
SendMessageW.USER32 ref: 00007FF646DAB431
SendMessageW.USER32 ref: 00007FF646DAB449
SetFocus.USER32 ref: 00007FF646DAB452
GetLastError.KERNEL32 ref: 00007FF646DAB634
GetLastError.KERNEL32 ref: 00007FF646DAB665
GetTickCount.KERNEL32 ref: 00007FF646DAB68B
GetLastError.KERNEL32 ref: 00007FF646DAB6F5
GetCommandLineW.KERNEL32 ref: 00007FF646DAB841
CreateFileMappingW.KERNEL32 ref: 00007FF646DAB900
MapViewOfFile.KERNEL32 ref: 00007FF646DAB923
Sleep.KERNEL32 ref: 00007FF646DAB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF646DAB9DF
CloseHandle.KERNEL32 ref: 00007FF646DAB9E8
SetDlgItemTextW.USER32 ref: 00007FF646DABCDE
SetForegroundWindow.USER32 ref: 00007FF646DAC07D
DialogBoxParamW.USER32 ref: 00007FF646DAC0D7
EndDialog.USER32 ref: 00007FF646DAC0EF
EnableWindow.USER32 ref: 00007FF646DAC2A6
SendMessageW.USER32 ref: 00007FF646DAC2F8
PostMessageW.USER32 ref: 00007FF646DAC300
ShellExecuteExW.SHELL32 ref: 00007FF646DAB95B

Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB67
Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB80

SendMessageW.USER32 ref: 00007FF646DABEC3
SendDlgItemMessageW.USER32 ref: 00007FF646DABEEA
GetDlgItem.USER32 ref: 00007FF646DABEF8
SendMessageW.USER32 ref: 00007FF646DABF12
GetDlgItem.USER32 ref: 00007FF646DABF4F
SetDlgItemTextW.USER32 ref: 00007FF646DABFEC
SetDlgItemTextW.USER32 ref: 00007FF646DAC004
SetDlgItemTextW.USER32 ref: 00007FF646DAC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAC381
SendDlgItemMessageW.USER32 ref: 00007FF646DAC449
EndDialog.USER32 ref: 00007FF646DAC463
GetDlgItem.USER32 ref: 00007FF646DAC491
SetFocus.USER32 ref: 00007FF646DAC49A
SendDlgItemMessageW.USER32 ref: 00007FF646DAC53E
FindFirstFileW.KERNEL32 ref: 00007FF646DAC562
FindClose.KERNEL32 ref: 00007FF646DAC68A
SendDlgItemMessageW.USER32 ref: 00007FF646DAC7AF

Part of subcall function 00007FF646D8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DACAC7

Strings

runas, xrefs: 00007FF646DAB7C9
STARTDLG, xrefs: 00007FF646DAB1CA
%s %s, xrefs: 00007FF646DAC6D9, 00007FF646DAC946
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF646DAB799
LICENSEDLG, xrefs: 00007FF646DAC0C9
@, xrefs: 00007FF646DAB7B6
REPLACEFILEDLG, xrefs: 00007FF646DAC3D3
p, xrefs: 00007FF646DAB7AB
__tmp_rar_sfx_access_check_, xrefs: 00007FF646DAB6A9
winrarsfxmappingfile.tmp, xrefs: 00007FF646DAB8E0

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ItemMessage$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLastWindow$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstForegroundHandleLineMappingParamPostShellSleepTickTranslateUnmap
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 2406191690-2702805183
Opcode ID: 0c64e270eeb3cc0a242973fa26eae57dde3a5bf8809ed376eda01980870d8d08
Instruction ID: c783de94e3bd34a1d5f53e3d28053065be745cd42654e3882ac7b1b5ff873350
Opcode Fuzzy Hash: 0c64e270eeb3cc0a242973fa26eae57dde3a5bf8809ed376eda01980870d8d08
Instruction Fuzzy Hash: 47D2BF62A0CA8381EB20FB25E8542FAE361EFD5794F404335D95D876AADF3EE549C700

Function 00007FF646DACE88 Relevance: 66.7, APIs: 27, Strings: 10, Instructions: 1963windowfileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF646DAD5F3
SendMessageW.USER32 ref: 00007FF646DAD626
SendMessageW.USER32 ref: 00007FF646DAD655
SHFileOperationW.SHELL32 ref: 00007FF646DAD9BB
MoveFileW.KERNEL32 ref: 00007FF646DADB4B
MoveFileExW.KERNEL32 ref: 00007FF646DADB69
GetTempPathW.KERNEL32 ref: 00007FF646DADC49

Part of subcall function 00007FF646D81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81FFB

EndDialog.USER32 ref: 00007FF646DADFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646DAEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646DAEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646DAEF73

Strings

<br>, xrefs: 00007FF646DAD6DA, 00007FF646DAD6E9
.tmp, xrefs: 00007FF646DADA85
lnk, xrefs: 00007FF646DAE3CA, 00007FF646DAE3D9
MIN, xrefs: 00007FF646DAEAE5, 00007FF646DAEAF4
HIDE, xrefs: 00007FF646DAE9E5, 00007FF646DAE9F4
MAX, xrefs: 00007FF646DAEA82, 00007FF646DAEA91
ProgramFilesDir, xrefs: 00007FF646DAD4F0
@set:user, xrefs: 00007FF646DADD96, 00007FF646DADDA5
.lnk, xrefs: 00007FF646DAE406, 00007FF646DAE415
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF646DAD501

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFile$MessageMoveSend$DialogItemOperationPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 2933078328-3916287355
Opcode ID: c0b2aa49ad2b0acab997a33698ebcc2e952028e2f40aaddae65ee8a390eaee56
Instruction ID: 724e2a4bcd23ac5e6aec95367db283d753fb5558e56250739bcaab0325595989
Opcode Fuzzy Hash: c0b2aa49ad2b0acab997a33698ebcc2e952028e2f40aaddae65ee8a390eaee56
Instruction Fuzzy Hash: B213B062B0CB8289EB10FF64D8442FCA7B1EB44798F401636DA5D97AE9DF79E584C340

Function 00007FF646DB0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646D9DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E018
Part of subcall function 00007FF646D9DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E030
Part of subcall function 00007FF646D9DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E05D

Part of subcall function 00007FF646D962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF646D962F2
Part of subcall function 00007FF646D962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF646D9632C

Part of subcall function 00007FF646DA946C: OleInitialize.OLE32 ref: 00007FF646DA9486
Part of subcall function 00007FF646DA946C: SHGetMalloc.SHELL32 ref: 00007FF646DA94D4

GetCommandLineW.KERNEL32 ref: 00007FF646DB096E
OpenFileMappingW.KERNEL32 ref: 00007FF646DB0A07
MapViewOfFile.KERNEL32 ref: 00007FF646DB0A30
UnmapViewOfFile.KERNEL32 ref: 00007FF646DB0A46
MapViewOfFile.KERNEL32 ref: 00007FF646DB0A63
UnmapViewOfFile.KERNEL32 ref: 00007FF646DB0ACA
CloseHandle.KERNEL32 ref: 00007FF646DB0AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF646DB0BAD
GetLocalTime.KERNEL32 ref: 00007FF646DB0BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646DB0C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF646DB0C26
GetModuleHandleW.KERNEL32 ref: 00007FF646DB0C2E
LoadIconW.USER32 ref: 00007FF646DB0C4D
DialogBoxParamW.USER32 ref: 00007FF646DB0CB6
Sleep.KERNEL32 ref: 00007FF646DB0CE6
DeleteObject.GDI32 ref: 00007FF646DB0D0D
DeleteObject.GDI32 ref: 00007FF646DB0D1F
CloseHandle.KERNEL32 ref: 00007FF646DB0D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB0DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB0DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB0DE3

Part of subcall function 00007FF646DAFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF646DAFD43
Part of subcall function 00007FF646DAFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF646DAFDBC

Strings

sfxname, xrefs: 00007FF646DB0B9B
STARTDLG, xrefs: 00007FF646DB0CA5
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF646DB0C02
winrarsfxmappingfile.tmp, xrefs: 00007FF646DB09F9
sfxstime, xrefs: 00007FF646DB0C1F

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: 698fae3a653e1b7d4e45f88450a095eb1b46b52804e719b722bb591d7123fd6d
Instruction ID: 37ec9365b9ae4422134de4535e9ab78eaa9c15e0da9e4cc3c3a2ec224033e4cd
Opcode Fuzzy Hash: 698fae3a653e1b7d4e45f88450a095eb1b46b52804e719b722bb591d7123fd6d
Instruction Fuzzy Hash: EE128E61A1CB8685FB10FB25E8552BDE361FF84B84F404335DA9D86AA9EF3EE144C700

Function 00007FF646D9A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646D9A504

Part of subcall function 00007FF646DA0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF646DA0F99

SetDlgItemTextW.USER32 ref: 00007FF646D9A573
GetWindowRect.USER32 ref: 00007FF646D9A5AD
GetClientRect.USER32 ref: 00007FF646D9A5BB
GetWindowLongPtrW.USER32 ref: 00007FF646D9A66C
GetWindowRect.USER32 ref: 00007FF646D9A6B2
SetWindowTextW.USER32 ref: 00007FF646D9A6EC
GetSystemMetrics.USER32 ref: 00007FF646D9A6F7
GetWindow.USER32 ref: 00007FF646D9A708
GetWindowRect.USER32 ref: 00007FF646D9A746
GetWindow.USER32 ref: 00007FF646D9A808

Strings

CAPTION, xrefs: 00007FF646D9A6CF
$%s:, xrefs: 00007FF646D9A4EF

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 2100155373-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 1a2d3bffbfde37a75b5ac1dac8fea2563c9537b9a628824d8c4f1c8f558eef1d
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 8B91D732B1C64286E758FF29E81066AE7A1FB94788F445635EE4D97B58CF3DE805CB00

Function 00007FF646DA8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32 ref: 00007FF646DA863D
SizeofResource.KERNEL32 ref: 00007FF646DA8659
LoadResource.KERNEL32 ref: 00007FF646DA8673
LockResource.KERNEL32 ref: 00007FF646DA8685
GlobalAlloc.KERNELBASE ref: 00007FF646DA86A6
GlobalLock.KERNEL32 ref: 00007FF646DA86BB
CreateStreamOnHGlobal.COMBASE ref: 00007FF646DA86E8
GdipAlloc.GDIPLUS ref: 00007FF646DA86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF646DA8769
GlobalUnlock.KERNEL32 ref: 00007FF646DA878C
GlobalFree.KERNEL32 ref: 00007FF646DA8795

Strings

PNG, xrefs: 00007FF646DA862F

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: d22cab4f53b2359fc91435a4ae5cd5f3258ab031d96d4a0fdb66fc76ddcf6534
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 46411B25B1DA0681FB14BF56D854779E7A0AF88B94F084635CE0E877A4EF7EE449C700

Function 00007FF646D8F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91263

Strings

__tmp_reference_source_, xrefs: 00007FF646D8FCCF, 00007FF646D8FCDE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 7118f36cc522cb397597310d0b68a6e51953c9a10550f0bb30b278ed57268a12
Instruction ID: 31d945e22db56fa84ea59206da3601cfaf9df617b47519794bdc5c3a561ce325
Opcode Fuzzy Hash: 7118f36cc522cb397597310d0b68a6e51953c9a10550f0bb30b278ed57268a12
Instruction Fuzzy Hash: 71E2B462A0C6C292EA64FB25E4543FEE761FB85784F405236DB9D836A5CF3EE458C700

Function 00007FF646D84840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D85124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D85E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D85E1C

Strings

CMT, xrefs: 00007FF646D859B2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 8d25fd63a65332c14761dec60f90f7e536d3e8df42b0a807d38d0572dc703df0
Instruction ID: dca8f14c83de281cac75258222f4168716e79b21c449e0fa7daf943449f1d079
Opcode Fuzzy Hash: 8d25fd63a65332c14761dec60f90f7e536d3e8df42b0a807d38d0572dc703df0
Instruction Fuzzy Hash: B6E2E022B0C68286EB58FB75D4542FEA7A1FB44788F401635DA6E877A6DF3EE454C300

Function 00007FF646D940BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF646D9410B
FindFirstFileW.KERNELBASE ref: 00007FF646D9415E
GetLastError.KERNEL32 ref: 00007FF646D941AF
FindNextFileW.KERNEL32 ref: 00007FF646D941D7
GetLastError.KERNEL32 ref: 00007FF646D941E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D94315

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction ID: 4db9a74b2ada35561020af245834a9aa19ac7d3e780092b98f8645639b45fd82
Opcode Fuzzy Hash: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction Fuzzy Hash: 3461A362A0CB4681EA10BF25E85027DA361FB85BA8F105331EABD937D9DF3DD558C700

Function 00007FF646D85E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF646D859B2, 00007FF646D8675B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction ID: 5f7dea329760d462429c629e3c3cf860492619477cc565b28c20fd795b9eec47
Opcode Fuzzy Hash: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction Fuzzy Hash: 0142EF22B0C6C296EB18FB74C5552FDA7A0EB41758F401A36DB2E936E6DF39E518C700

Function 00007FF646DA1F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction ID: aac4ba4d34f6f58a39dcc0d47b6ee83ba1a7f68b524a16eca7d40df42a25dc86
Opcode Fuzzy Hash: 00cc9b5d49baee892d39d1da46008d2b4229947a5b0a2c39888c4d08721f4c94
Instruction Fuzzy Hash: 68E1D422A0D3828AEB64FF29A5442BDB791FB48748F054239DB4EC7B85DF3EE5418704

Function 00007FF646DA3484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26af858850e4daafc6f2970d44d6bc4b8aba49acee0196899845173dc4538b23
Instruction ID: 66d49d331732d44b83a4b4487c6d073576f8a5e3db6c680bba821b34ad2275d4
Opcode Fuzzy Hash: 26af858850e4daafc6f2970d44d6bc4b8aba49acee0196899845173dc4538b23
Instruction Fuzzy Hash: F9B1CEA2B0CBC993DE58EA669608BE9A392BB45FC4F498132DE1D87741DF3DE155C300

Function 00007FF646D94928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: da87a57a9ac39f65141c41a007b89939efb02abc0997ac81e55b16170c34fd38
Instruction ID: 90e6da457ef9872792c2bf7e9de2476f8a522f8b67cf9d7e221208c501b3b3a0
Opcode Fuzzy Hash: da87a57a9ac39f65141c41a007b89939efb02abc0997ac81e55b16170c34fd38
Instruction Fuzzy Hash: 28410822B19756C6FA64FF11A92076AA252FBC478CF044234DE4D87795DE3DE44AC704

Function 00007FF646D9DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E05D
CreateFileW.KERNEL32 ref: 00007FF646D9E3F0
SetFilePointer.KERNEL32 ref: 00007FF646D9E40E
ReadFile.KERNEL32 ref: 00007FF646D9E436

Part of subcall function 00007FF646D9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF646D9DDDF

CompareStringW.KERNELBASE ref: 00007FF646D9E559
CloseHandle.KERNEL32 ref: 00007FF646D9E4F3

Part of subcall function 00007FF646D81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81FFB

Part of subcall function 00007FF646D951A4: GetVersionExW.KERNEL32 ref: 00007FF646D951D5

Part of subcall function 00007FF646D9DFD0: LoadLibraryExW.KERNELBASE ref: 00007FF646D9DEFF
Part of subcall function 00007FF646D9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9DFB5
Part of subcall function 00007FF646D9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9DFBB
Part of subcall function 00007FF646D9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9DFC1
Part of subcall function 00007FF646D9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF646D9E7AA
ExitProcess.KERNEL32 ref: 00007FF646D9E7BB

Strings

cryptui.dll, xrefs: 00007FF646D9E1A3
setupapi.dll, xrefs: 00007FF646D9E141
oleaccrc.dll, xrefs: 00007FF646D9E1E9
crypt32.dll, xrefs: 00007FF646D9E187
mlang.dll, xrefs: 00007FF646D9E2BB
RpcRtRemote.dll, xrefs: 00007FF646D9E363
usp10.dll, xrefs: 00007FF646D9E0DE
XmlLite.dll, xrefs: 00007FF646D9E339
msasn1.dll, xrefs: 00007FF646D9E195
imageres.dll, xrefs: 00007FF646D9E24B
atl.dll, xrefs: 00007FF646D9E136
ntshrui.dll, xrefs: 00007FF646D9E12B
apphelp.dll, xrefs: 00007FF646D9E14F
netapi32.dll, xrefs: 00007FF646D9E16B
dhcpcsvc.dll, xrefs: 00007FF646D9E32B
shell32.dll, xrefs: 00007FF646D9E1BF
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF646D9E73B
wkscli.dll, xrefs: 00007FF646D9E2E5
ntmarta.dll, xrefs: 00007FF646D9E1F7
profapi.dll, xrefs: 00007FF646D9E205
netutils.dll, xrefs: 00007FF646D9E283
cryptsp.dll, xrefs: 00007FF646D9E355
dhcpcsvc6.dll, xrefs: 00007FF646D9E31D
mpr.dll, xrefs: 00007FF646D9E291
SetDefaultDllDirectories, xrefs: 00007FF646D9E053
version.dll, xrefs: 00007FF646D9E07B
srvcli.dll, xrefs: 00007FF646D9E221
ieframe.dll, xrefs: 00007FF646D9E120
iphlpapi.DLL, xrefs: 00007FF646D9E267
UXTheme.dll, xrefs: 00007FF646D9E0B2
ws2_32.dll, xrefs: 00007FF646D9E0FF
samcli.dll, xrefs: 00007FF646D9E2C9
kernel32, xrefs: 00007FF646D9E011
comres.dll, xrefs: 00007FF646D9E0F4
devrtl.dll, xrefs: 00007FF646D9E29F
cabinet.dll, xrefs: 00007FF646D9E1DB
uxtheme.dll, xrefs: 00007FF646D9E66D
propsys.dll, xrefs: 00007FF646D9E2AD
shdocvw.dll, xrefs: 00007FF646D9E179
cscapi.dll, xrefs: 00007FF646D9E22F
dnsapi.DLL, xrefs: 00007FF646D9E259
psapi.dll, xrefs: 00007FF646D9E115
WindowsCodecs.dll, xrefs: 00007FF646D9E213
SSPICLI.DLL, xrefs: 00007FF646D9E09C
ws2help.dll, xrefs: 00007FF646D9E10A
WINNSI.DLL, xrefs: 00007FF646D9E275
cryptbase.dll, xrefs: 00007FF646D9E0C8
dsrole.dll, xrefs: 00007FF646D9E37F
linkinfo.dll, xrefs: 00007FF646D9E347
userenv.dll, xrefs: 00007FF646D9E15D
rsaenh.dll, xrefs: 00007FF646D9E0A7
SetDllDirectoryW, xrefs: 00007FF646D9E026
secur32.dll, xrefs: 00007FF646D9E1CD
rasadhlp.dll, xrefs: 00007FF646D9E30F
DXGIDebug.dll, xrefs: 00007FF646D9E086, 00007FF646D9E5B6
lpk.dll, xrefs: 00007FF646D9E0D3
wintrust.dll, xrefs: 00007FF646D9E1B1
sfc_os.dll, xrefs: 00007FF646D9E091
dfscli.dll, xrefs: 00007FF646D9E2F3
dwmapi.dll, xrefs: 00007FF646D9E0BD, 00007FF646D9E661
aclui.dll, xrefs: 00007FF646D9E371
slc.dll, xrefs: 00007FF646D9E23D
clbcatq.dll, xrefs: 00007FF646D9E0E9
peerdist.dll, xrefs: 00007FF646D9E38D
browcli.dll, xrefs: 00007FF646D9E301
samlib.dll, xrefs: 00007FF646D9E2D7

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 729aa0bc78a87cf64f47f55ad2113f2e0944a5e52d0d2a48ebf2ce523c5df02a
Instruction ID: 89d99c2dde96fd30a881cf3f58345a95c3dc4ec84560a4d7a7540578fa73056e
Opcode Fuzzy Hash: 729aa0bc78a87cf64f47f55ad2113f2e0944a5e52d0d2a48ebf2ce523c5df02a
Instruction Fuzzy Hash: A6321B31A0DB8699EB11BF60E8501E9B3A4FF44358F501336DA4E867A9EF3ED259C740

Function 00007FF646D998DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D98E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D98F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646D99F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9A435

Part of subcall function 00007FF646DA0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF646DA0B44), ref: 00007FF646DA0BE9

Strings

, xrefs: 00007FF646D99DF9
,, xrefs: 00007FF646D99FAA
STRINGS, xrefs: 00007FF646D99DC1
*messages***, xrefs: 00007FF646D99BC6
@%s:, xrefs: 00007FF646D99F57
*messages***, xrefs: 00007FF646D99C04
DIRECTION, xrefs: 00007FF646D99DE5
$%s:, xrefs: 00007FF646D99F50
MENU, xrefs: 00007FF646D99DD9
DIALOG, xrefs: 00007FF646D99DCD
RTL, xrefs: 00007FF646D99F2E

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: a0ca64e2e6ce2865254327ea7649ce479d77a76cd71c28d6026bad56dc47627e
Instruction ID: 1f377cb6ca40d2a0136a5b63a999c1bfb3bbd1b21b6cfd9d3e36ffab832f4ccd
Opcode Fuzzy Hash: a0ca64e2e6ce2865254327ea7649ce479d77a76cd71c28d6026bad56dc47627e
Instruction Fuzzy Hash: E362B122B1D682D5EB20FF65C4642BDA361FB44788F845232DA4D8B6D9EF3EE549C340

Function 00007FF646DB1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646DB1558: DloadProtectSection.DELAYIMP ref: 00007FF646DB15C9

RaiseException.KERNEL32 ref: 00007FF646DB19A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF646DB1993

Part of subcall function 00007FF646DB1868: DloadProtectSection.DELAYIMP ref: 00007FF646DB18C7

LoadLibraryExA.KERNELBASE ref: 00007FF646DB1A46
GetLastError.KERNEL32 ref: 00007FF646DB1A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF646DB1A86
RaiseException.KERNEL32 ref: 00007FF646DB1A9A

Strings

H, xrefs: 00007FF646DB1974

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: f9cbf4a552f3d364b3d08fd9b22b2798b0512748b5cfe66d2ef2a1cc092a83b4
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: F9915A32A19B568AEB00EFA5D8406ACB3B5FB09B98F444635DE0E97758EF39E445C700

Function 00007FF646DAF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF646DAF747
ShowWindow.USER32 ref: 00007FF646DAF786
GetExitCodeProcess.KERNEL32 ref: 00007FF646DAF7BD
CloseHandle.KERNEL32 ref: 00007FF646DAF7E7
ShowWindow.USER32 ref: 00007FF646DAF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAF8FB

Strings

Install, xrefs: 00007FF646DAF684
.exe, xrefs: 00007FF646DAF7F2
.inf, xrefs: 00007FF646DAF675
p, xrefs: 00007FF646DAF529

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 67b61dfe47284e38b67ea0c0b1901cc6ac0d6bddf6aab1d537367ec119b3a945
Instruction ID: 429f2ca62904286ef83ceeea4bd04983a2f0d2b9dc0758efb418664b97dbd6c9
Opcode Fuzzy Hash: 67b61dfe47284e38b67ea0c0b1901cc6ac0d6bddf6aab1d537367ec119b3a945
Instruction Fuzzy Hash: D3C1AE62F0CA0295FB58FB66D944279A3B1AF99B84F044271CA4DC77A4DF3EE495C340

Function 00007FF646DAF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646DAAE1C: PeekMessageW.USER32 ref: 00007FF646DAAE32
Part of subcall function 00007FF646DAAE1C: GetMessageW.USER32 ref: 00007FF646DAAE49
Part of subcall function 00007FF646DAAE1C: IsDialogMessageW.USER32 ref: 00007FF646DAAE60
Part of subcall function 00007FF646DAAE1C: TranslateMessage.USER32 ref: 00007FF646DAAE6F
Part of subcall function 00007FF646DAAE1C: DispatchMessageW.USER32 ref: 00007FF646DAAE7A

GetDlgItem.USER32 ref: 00007FF646DAF0E3
ShowWindow.USER32 ref: 00007FF646DAF109
SendMessageW.USER32 ref: 00007FF646DAF11E
SendMessageW.USER32 ref: 00007FF646DAF136
SendMessageW.USER32 ref: 00007FF646DAF157
SendMessageW.USER32 ref: 00007FF646DAF173
SendMessageW.USER32 ref: 00007FF646DAF1B6
SendMessageW.USER32 ref: 00007FF646DAF1D4
SendMessageW.USER32 ref: 00007FF646DAF1E8
SendMessageW.USER32 ref: 00007FF646DAF212
SendMessageW.USER32 ref: 00007FF646DAF22A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 3569833718-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 5ade036cdc1a2a68aea8c7e66ab75ae96b2f7a3cf2a87fa61903bfc911cd39ff
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: 4441A331B1CA4286F710FF61E810BAAA760EB85B99F441235DD0A87FA5CF7ED4458744

Function 00007FF646D8EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F572

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 95f682f023754f56a0dcca5eb1f48e82665a17e2aa84d7a71d7c4cda38083178
Instruction ID: c5cff5b6c0ff5840bb98494808f0ec1272dbbf77cf95fa1b0a71134472a0ea78
Opcode Fuzzy Hash: 95f682f023754f56a0dcca5eb1f48e82665a17e2aa84d7a71d7c4cda38083178
Instruction Fuzzy Hash: 7C12C162B0C74185EB10FB65D4482BDA371EB857A8F405336DA6C97AE9DF3ED489C340

Function 00007FF646D924C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF646D9259B
GetLastError.KERNEL32 ref: 00007FF646D925AE
CreateFileW.KERNEL32 ref: 00007FF646D9260E
GetLastError.KERNEL32 ref: 00007FF646D92617
SetFileTime.KERNEL32 ref: 00007FF646D926C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D92736

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction ID: f786f95f9cbfbcea6781034107df7a45d3d9c437e0cd38b9df91d549da24d02b
Opcode Fuzzy Hash: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction Fuzzy Hash: DD61C266A1C68185E720AF29E41076EA7B1BB847ACF101334DFAE43AD8DF3ED058C744

Function 00007FF646DAB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF646DAB02A
GetObjectW.GDI32 ref: 00007FF646DAB05B
DeleteObject.GDI32 ref: 00007FF646DAB095
DeleteObject.GDI32 ref: 00007FF646DAB0C5

Part of subcall function 00007FF646DA8624: FindResourceW.KERNEL32 ref: 00007FF646DA863D
Part of subcall function 00007FF646DA8624: SizeofResource.KERNEL32 ref: 00007FF646DA8659
Part of subcall function 00007FF646DA8624: LoadResource.KERNEL32 ref: 00007FF646DA8673
Part of subcall function 00007FF646DA8624: LockResource.KERNEL32 ref: 00007FF646DA8685
Part of subcall function 00007FF646DA8624: GlobalAlloc.KERNELBASE ref: 00007FF646DA86A6
Part of subcall function 00007FF646DA8624: GlobalLock.KERNEL32 ref: 00007FF646DA86BB
Part of subcall function 00007FF646DA8624: CreateStreamOnHGlobal.COMBASE ref: 00007FF646DA86E8
Part of subcall function 00007FF646DA8624: GdipAlloc.GDIPLUS ref: 00007FF646DA86FE
Part of subcall function 00007FF646DA8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF646DA8769
Part of subcall function 00007FF646DA8624: GlobalUnlock.KERNEL32 ref: 00007FF646DA878C
Part of subcall function 00007FF646DA8624: GlobalFree.KERNEL32 ref: 00007FF646DA8795

Strings

], xrefs: 00007FF646DAB063

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
String ID: ]
API String ID: 3561356813-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: a1442191c59c5dab1074f2a8be2acd2dbabe31b656b9975e4a06281dc22fb48d
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 69118621F0D64246FB64BB22E655379E392AF89BC0F080234DD5D87B99EE2EE8058700

Function 00007FF646DAAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF646DAAE32
GetMessageW.USER32 ref: 00007FF646DAAE49
IsDialogMessageW.USER32 ref: 00007FF646DAAE60
TranslateMessage.USER32 ref: 00007FF646DAAE6F
DispatchMessageW.USER32 ref: 00007FF646DAAE7A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: b38719a443f9978dc12ed4bcbf63699aba24ab054e79aa4872ff097a252be7d6
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: CCF0EC25B3C94282FB50BB60E895A36E361FFD4705F845635E64EC1854DF2ED548CB00

Function 00007FF646DA91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF646DA9211
SHAutoComplete.SHLWAPI ref: 00007FF646DA9255

Part of subcall function 00007FF646DA13C4: CompareStringW.KERNEL32 ref: 00007FF646DA13E3

FindWindowExW.USER32 ref: 00007FF646DA923F

Strings

EDIT, xrefs: 00007FF646DA921B, 00007FF646DA9233

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: bb06ac6322e40469370985185bc19ec4d54036f83dc42015bbc3dac0cc999e0c
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 10013161B1CA4781FA30BF62F8147F6E390BF99784F881231C94D8B659DE2EE149C640

Function 00007FF646D92CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF646D98C9A), ref: 00007FF646D92D22
WriteFile.KERNEL32 ref: 00007FF646D92D6C
WriteFile.KERNELBASE ref: 00007FF646D92D9A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction ID: 075066ff4636e5df8e4f49e3343a40fb8fdb5cf6dc21888a5166735f9eb3f325
Opcode Fuzzy Hash: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction Fuzzy Hash: 4451E762A2D54682FB50BF25D45477AA350FF84B98F441331EA0E87A94DF3ED589C340

Function 00007FF646DB03E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32 ref: 00007FF646DB0556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB05C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB05C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB05CD

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$TextWindow
String ID:
API String ID: 2912839123-0
Opcode ID: 8a0c15bc77fd32c201e399d9c3f52707d58e70f4a32258776395ca5be8329a26
Instruction ID: 74e733314b14f7c4b68d187eaf70d1bbc2ac172f2ba9471a4b3868b50d8cd229
Opcode Fuzzy Hash: 8a0c15bc77fd32c201e399d9c3f52707d58e70f4a32258776395ca5be8329a26
Instruction Fuzzy Hash: 2851A162F28A5285FF00FBA4D8443BDA362AF45BA4F504736DA1D96BE9DF6ED440C304

Function 00007FF646DB2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF646DB2D7B

Part of subcall function 00007FF646DB27FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF646DB281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF646DB2D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF646DB2DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF646DB2E51

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: be07adfe2ff90d84b06e69bbd06c8335f3a84335bd1f2ec893dc975b153e802a
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 8F314C62E4C24342FB54BF66D4513BEE291AF45B84F440734E91ECB6DBDE6FA844C250

Function 00007FF646D93684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF646D9309D), ref: 00007FF646D936CE
CreateDirectoryW.KERNEL32 ref: 00007FF646D93733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF646D9309D), ref: 00007FF646D93791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D937CE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction ID: 816dfb8dec93169656efee05211f0efd89bb89bfa7cbf47af8750f9a08120c37
Opcode Fuzzy Hash: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction Fuzzy Hash: 7B31A376E0C682C1EB20BB25A464279E361FF89798F510331EE9DC37A5DF3ED4498600

Function 00007FF646D92320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF646D92927,?,00100000,?,00000001,00000000,00000000,?,00007FF646D914C1), ref: 00007FF646D92348
ReadFile.KERNELBASE ref: 00007FF646D92367
GetLastError.KERNEL32 ref: 00007FF646D9239B
GetLastError.KERNEL32 ref: 00007FF646D923BA

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: e6d44b3d138243a568f64228955507ebe5ddd126b3d068dee11ac68363b89871
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 14216221A2C552C1EA60BF31A410239E7A0FB45B9CF144739DA5DC6A84CF7EE8898751

Function 00007FF646D9E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D9ECD8: ResetEvent.KERNEL32 ref: 00007FF646D9ECF1
Part of subcall function 00007FF646D9ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF646D9ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF646D9E974
CloseHandle.KERNELBASE ref: 00007FF646D9E993
DeleteCriticalSection.KERNEL32 ref: 00007FF646D9E9AA
CloseHandle.KERNEL32 ref: 00007FF646D9E9B7

Part of subcall function 00007FF646D9EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF646D9E95F,?,?,?,00007FF646D9463A,?,?,?), ref: 00007FF646D9EA63
Part of subcall function 00007FF646D9EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF646D9E95F,?,?,?,00007FF646D9463A,?,?,?), ref: 00007FF646D9EA6E

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 502429940-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: f14dc1b5708e9270bf1e287c58983538aab79b51fb16ecd203d45cb0ebf51a1e
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: BB012D32A19A91E2E758BB21E55466DA770FB84B80F004231DB6E43625CF3AE4B88740

Function 00007FF646D9EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF646D9EAE0
SetThreadPriority.KERNEL32 ref: 00007FF646D9EB36

Strings

CreateThread failed, xrefs: 00007FF646D9EAEE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: c99db7bd832d413f4ad6de042cf9549dbc2644fc143f8f0de377741f0c19de29
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 7C115B31A0CA42C1E700BF10E8415AAF370FF84788F584331DA5E86669EF3EE596C740

Function 00007FF646DA946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF646D9DDDF

OleInitialize.OLE32 ref: 00007FF646DA9486
SHGetMalloc.SHELL32 ref: 00007FF646DA94D4

Strings

riched20.dll, xrefs: 00007FF646DA9475

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 105ab2f536a624946911a80d138132bb0962757be3b7eb59a386d6b55099ef19
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: 21F04F7161CA4182EB40BF60F41416AF3A0FB88754F440235E98E82B58DF7DD14DCB00

Function 00007FF646DA095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646DA853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF646DA856C

Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB67
Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB80

Part of subcall function 00007FF646D81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81FFB

Part of subcall function 00007FF646D8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB01BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DB01C1
SendDlgItemMessageW.USER32 ref: 00007FF646DB01F2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: ac2348a629674c2f7f7785d079b65ba149da1fb1da7fc5a5014f7405eaf55abc
Instruction ID: 8d04adf1b3133de52216ac0d1e46d6068122cfb76c2e8a360508b869b24ca4af
Opcode Fuzzy Hash: ac2348a629674c2f7f7785d079b65ba149da1fb1da7fc5a5014f7405eaf55abc
Instruction Fuzzy Hash: 3C51BE62F0C64286FB10BBA5D8552FDA322AB99BC8F440336DE1D977DADE2DE504C340

Function 00007FF646DA9F4C Relevance: 4.6, APIs: 3, Instructions: 146COMMON

Download Yara Rule

APIs

SHFileOperationW.SHELL32 ref: 00007FF646DAA118
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA184
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA18A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileOperation
String ID:
API String ID: 2032784890-0
Opcode ID: d84b959cb52ac2b45cb228921a01aff5b742bfe85dfebf4c2a95a99d48551309
Instruction ID: 9c245b354bfff5b6a8309e442d0fea21decdaaba6ca31611ba92a32a56988478
Opcode Fuzzy Hash: d84b959cb52ac2b45cb228921a01aff5b742bfe85dfebf4c2a95a99d48551309
Instruction Fuzzy Hash: AF616B62B1CB42D9EB00FF65D8942BC6361EB98788F444736DA1C93BA9DF3AD595C300

Function 00007FF646D92134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF646D921CF
CreateFileW.KERNEL32 ref: 00007FF646D9223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D922D8

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction ID: eb55a13a44adc8e7d28bde8afe65a5647156986a0d403c18895a8977eebb1e4c
Opcode Fuzzy Hash: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction Fuzzy Hash: D841C572A2C78582EB20BF15E454669A3A1FB85BB8F105334DFAD43AD5CF3EE4948700

Function 00007FF646D823F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF646D8243E
GetWindowTextW.USER32 ref: 00007FF646D82476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D82505

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction ID: 54019821001010f61c98d545ce2f3fd59c916a9021c8f50c480861f6ad3c68b0
Opcode Fuzzy Hash: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction Fuzzy Hash: B2217362A1DB8281EA20AF65A84417AA364FB89BD0F145335EB9D43BA9DF3DD150C740

Function 00007FF646DA1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646DA205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646DA2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646DA2093

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction ID: 2765f622f22e671e0b46f6102f21058bf46c5e882b12728a6000b04f64409746
Opcode Fuzzy Hash: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
Instruction Fuzzy Hash: 9331B522B0C68651FB25BB16E4543BDE3A0FB54B84F584231D28C869E9DF7EE946C301

Function 00007FF646D93D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF646DA07E1), ref: 00007FF646D93D5E
SetFileAttributesW.KERNEL32 ref: 00007FF646D93DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D93E1A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction ID: cef7eee3bb2859323d0bcc363d1feaac55ff10ee4cd0b3db66b731e0be2c989f
Opcode Fuzzy Hash: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction Fuzzy Hash: 7521B832B1C68581FE20BF25E465269A361FFC4B98F105334EA9E827A9EF2DD544C600

Function 00007FF646D931BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF646DA0822), ref: 00007FF646D931E7
DeleteFileW.KERNEL32 ref: 00007FF646D93237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D932A1

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction ID: 8c034f316355c687e67a038a444a0bb939667ff92f4483972dc0394a9e33a64c
Opcode Fuzzy Hash: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction Fuzzy Hash: 39219832A1C78182FE20BB25F45526EA360FF85B98F501335EA9E87AA9DF3DD544C740

Function 00007FF646D932BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF646D9E5B1,?,?,?,00000000,?), ref: 00007FF646D932E7
GetFileAttributesW.KERNELBASE ref: 00007FF646D93334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D93399

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction ID: 745bb9ace171cf59a808815ad16d99aaaca8ec9b27260e76315a3c6aac7ecf07
Opcode Fuzzy Hash: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction Fuzzy Hash: C2217432A1C68181EA10BB29E454129A361FB89BA4F500331EA9E83BE9DF3DD544C700

Function 00007FF646DBBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF646DBBF48), ref: 00007FF646DBBF8C
TerminateProcess.KERNEL32(?,?,?,00007FF646DBBF48), ref: 00007FF646DBBF97
ExitProcess.KERNEL32 ref: 00007FF646DBBFA6

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 960fa3e39819a8362693dd99e5430a1b4b14cfee2e95cef4defefdc5f7504c0a
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 30E0BF28B0C70946FB547B319895779A7526F88B41F105638D94F8739ACE3FE4498741

Function 00007FF646D8F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8F89B

Part of subcall function 00007FF646D93EC8: FindClose.KERNELBASE(?,?,00000000,00007FF646DA0811), ref: 00007FF646D93EFD

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 1c0bb42e79c9fb00636deaf2d0e282c242ffc3b1dd605f464871389e3482b40a
Instruction ID: 558365a1d511bdabfb49c6c3635ab3e1cafea0fcba2a82d7644d75869dd66c31
Opcode Fuzzy Hash: 1c0bb42e79c9fb00636deaf2d0e282c242ffc3b1dd605f464871389e3482b40a
Instruction Fuzzy Hash: 4D91AF73A1CB8190EB10FF25D8482ADA361FB84BD8F905235EA6C87AE9DF79D545C340

Function 00007FF646D83904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D83AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D83AB9

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction ID: 43098a31d168ffddf835b936b1882df6d6db265e69f54ecc8a44d9b2317bfb18
Opcode Fuzzy Hash: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction Fuzzy Hash: B641A062F1C65285FF00FBB1D4446BDA321AF44B98F156335DE2DA7AAADE39D4828300

Function 00007FF646D92778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF646D9274D), ref: 00007FF646D928A9
GetLastError.KERNEL32(?,00007FF646D9274D), ref: 00007FF646D928B8

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 99cf8cc69fdd218bc5c5f97eaf68ff6d64c772fda5510f758a5dadf289848a94
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: E631D622B2DA56C2FB647F2AD9506B9A354AF04BD8F140331DE1D97790DE3ED4498740

Function 00007FF646D822BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF646D822F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D823F0

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction ID: e56007980651652d736b1191828ee10172abd50452144b4061ecfd9899505862
Opcode Fuzzy Hash: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction Fuzzy Hash: EB31AF22A1C74682EA20BF15E45937AF360EB84B90F445335EAAD87BA9DF3DE544C740

Function 00007FF646D92AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF646D92AFE
SetFileTime.KERNELBASE ref: 00007FF646D92B9B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 4dad6599253485e2b1af0d46406bfee68bb45bf2f7e64ce6861d65483f4dfcce
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 1C21B222E1EB46D1EA62BE51E4257BA97E0AF0179CF154231DE4C46299EE3ED58EC200

Function 00007FF646D92BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF646D92C11
GetLastError.KERNEL32 ref: 00007FF646D92C1E

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: a897901ecd60b9fb2e2a60627a70d00c608e0a3c3b85281cd84aed9ea15f4969
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 8411AF21A2C642C1FB60BF25E850279A260FB44BB8F540331DA7D922E4CF3ED59AC300

Function 00007FF646D8255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D9A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646D9A504
Part of subcall function 00007FF646D9A4AC: SetDlgItemTextW.USER32 ref: 00007FF646D9A573
Part of subcall function 00007FF646D9A4AC: GetWindowRect.USER32 ref: 00007FF646D9A5AD
Part of subcall function 00007FF646D9A4AC: GetClientRect.USER32 ref: 00007FF646D9A5BB

GetDlgItem.USER32 ref: 00007FF646D825AC
SetWindowTextW.USER32 ref: 00007FF646D825C8

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ItemRectTextWindow$Clientswprintf
String ID:
API String ID: 3322643685-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 4d2c9e38036e2ff44e4c060132e643bc98deaf13b15d147ec5f83081158cddfb
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: E4018F20E4D78B81FF597F52E46C279D791AF85744F081275C85D86AEEDE2EE884C340

Function 00007FF646D9EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF646D9EBAD,?,?,?,?,00007FF646D95752,?,?,?,00007FF646D956DE), ref: 00007FF646D9EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF646D9EB6F

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: e18e841553faff2b5171b1767e260f0deedc4b6670ec243495078c92e04a9f33
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: CAE06561B1864A86DB59AF5AC4519AAA3A2BF88B44F848135D60BC3614DE2EE5498B00

Function 00007FF646DB21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646DB2200

Part of subcall function 00007FF646DB2F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646DB2F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646DB2206

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: 0d023a9688cfb65a2a84d31ce42147298f046449025817c0a8392a7cde15ba91
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 00E01742E1E10B45FD283A771C661B980404F2DFB0E5C6B30DE3EC86DEAE1FA596C110

Function 00007FF646DBD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF646DBD922
GetLastError.KERNEL32 ref: 00007FF646DBD934

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: f60214744fc6894da7bb36ed54b249f05c862e25bee5edeeb0a3a2dc4f3001ce
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 5CE0EC60E0E54746FF18BBF298555B8A6D1AF98F51F044235C90FC625AEE3EA4858600

Function 00007FF646D833E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8388C

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction ID: 3979f7d7675b156a8002aa3f1c9926d1c3b98db638dcbb49fd5fab9f42122830
Opcode Fuzzy Hash: 8948bb9802c6c0987d886fae829bf96634841c4c74bd64b8e97cfea881f89bd5
Instruction Fuzzy Hash: B3D1D872B0C68696EB28BB6595482BDE7A1FB05B84F053235CB2D877B5CF3DE4618700

Function 00007FF646D95294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9551B

Part of subcall function 00007FF646DA13F4: CompareStringW.KERNEL32 ref: 00007FF646DA145A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction ID: 35b8f91de497d8f840e0c3a2b93ed5032026d452960ab1f6d1e5d42e493df590
Opcode Fuzzy Hash: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction Fuzzy Hash: F8610311E0C647C1FAA4BA25943427EDA91AF49BD8F144331EE4DC6AC5EE7FEC588600

Function 00007FF646DA1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D9E948: ReleaseSemaphore.KERNEL32 ref: 00007FF646D9E974
Part of subcall function 00007FF646D9E948: CloseHandle.KERNELBASE ref: 00007FF646D9E993
Part of subcall function 00007FF646D9E948: DeleteCriticalSection.KERNEL32 ref: 00007FF646D9E9AA
Part of subcall function 00007FF646D9E948: CloseHandle.KERNEL32 ref: 00007FF646D9E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA1ACB

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 904680172-0
Opcode ID: 706733c944098cb8a605eaf932642e2f84c02d8e7386b9a1576d55af7d044be2
Instruction ID: b11050647bde2faaeee74bf5996aa468a3c8e32ffc25b1155767363496b66391
Opcode Fuzzy Hash: 706733c944098cb8a605eaf932642e2f84c02d8e7386b9a1576d55af7d044be2
Instruction Fuzzy Hash: A261CF62B1DA85A2EE08FB65E5540BCB365FB44F80F544336D72D87AC5CF2AE465C300

Function 00007FF646D8EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8EEB8

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 89b76225f611734f1827ebf27dd46062ec279a58f062f7148514824cdf62f394
Instruction ID: cfc66b3ca2d5d844797962a1458cdcaf3375ecb433465028df1935cf79f3992b
Opcode Fuzzy Hash: 89b76225f611734f1827ebf27dd46062ec279a58f062f7148514824cdf62f394
Instruction Fuzzy Hash: 6651D562A0C68290FA15BF25D4583BDA751FB85BC8F441236EE6D873A6CE3EE485C740

Function 00007FF646D8E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D93EC8: FindClose.KERNELBASE(?,?,00000000,00007FF646DA0811), ref: 00007FF646D93EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8E993

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction ID: 05717219cfda64d4014522b7057dcb23d39d16b2fab95c75d3074ad758185be5
Opcode Fuzzy Hash: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction Fuzzy Hash: 4E516F22A1C68681FB60BF29D44937DA361FF84B84F441336EA9D876B9DF2ED441C750

Function 00007FF646D91794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9187D

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: bebb0f9c194fdd9831c81a75273c0277ea796a53f9961829cd6454e8fab382d6
Instruction ID: dfbe3b5b6f4a8aec011e0eb989eded12ded01898ecbe7a7d0a779be66910e9c3
Opcode Fuzzy Hash: bebb0f9c194fdd9831c81a75273c0277ea796a53f9961829cd6454e8fab382d6
Instruction Fuzzy Hash: F1411962B1CA8192EA18BA17EA1037AE251FB48FC4F448635EE5C87F5ADF3DD4558300

Function 00007FF646D92F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D930C8

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction ID: 06e1572a3ac0c69473ec158a5444ce51a6d108656b6ad644115b62b0dbc3a512
Opcode Fuzzy Hash: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction Fuzzy Hash: B741D172A1CA41C1EF10BF2AE565379A360EB85BDCF051334EA4D876A9DE3EE444C640

Function 00007FF646DBBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646DBBE20

Part of subcall function 00007FF646DBBFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF646DBBFD0
Part of subcall function 00007FF646DBBFB0: GetProcAddress.KERNEL32 ref: 00007FF646DBBFE6
Part of subcall function 00007FF646DBBFB0: FreeLibrary.KERNEL32 ref: 00007FF646DBC00B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 07c35ce9a6e3ad340a12a0e4adbafc3687f1d813394576dc3bbcc52b73845c9b
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 4841D022E1CA1686FB24BB11D85027CE6A1BF94F40F444676DA0EC76A9CF3FE940C740

Function 00007FF646D8129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D81396

Part of subcall function 00007FF646D81F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646D81F89

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: cf2633b9da943ca9c126a427f9c2b9753697caf8745c5b584b473be633c00b65
Instruction ID: 58e9f9c80ac372f38012660ff5577505c3a0f8fc543c113afd8d96d075b172ca
Opcode Fuzzy Hash: cf2633b9da943ca9c126a427f9c2b9753697caf8745c5b584b473be633c00b65
Instruction Fuzzy Hash: 13219222A0C75285EA14BF52A804279A250FB09FF0F681B30DE7D87BE5DE7EE4558344

Function 00007FF646DC124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DC1280

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 389b56214bcac53a9dbcb742e2d559e9d96dc57d46600f7d5a42bb69c3503ea6
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 8B113A2691D656C6F720BB50E851539E2A4FB49780F540235E78EDA699DF2EE4008740

Function 00007FF646DAFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646DAF0A4: GetDlgItem.USER32 ref: 00007FF646DAF0E3
Part of subcall function 00007FF646DAF0A4: ShowWindow.USER32 ref: 00007FF646DAF109
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF11E
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF136
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF157
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF173
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF1B6
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF1D4
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF1E8
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF212
Part of subcall function 00007FF646DAF0A4: SendMessageW.USER32 ref: 00007FF646DAF22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAFD03

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1587882848-0
Opcode ID: 5bb424aab816160ef4a74488935102a122e6704c0a8f498a4557d78a920d449d
Instruction ID: 31f880fffa8c04ac46ab252f872861757aae537eb4cbe136af0576fa893e76a5
Opcode Fuzzy Hash: 5bb424aab816160ef4a74488935102a122e6704c0a8f498a4557d78a920d449d
Instruction Fuzzy Hash: 2C01DB62A2C68542EE24B725D44637EA311EFC9B94F501335EAAC867DADE2DE1408704

Function 00007FF646D83AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D83B6C

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction ID: 7c089734249346327ee95fe6311b842926b159799e9fee37c813e5c25b2bb22d
Opcode Fuzzy Hash: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction Fuzzy Hash: 340196A2E1CB8541FE11BB68E44526DB361FFD9B94F406335E6AC47BA9DF2EE0408704

Function 00007FF646DB1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF646DB1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF646DB1573,?,?,?,00007FF646DB192A), ref: 00007FF646DB162B

DloadProtectSection.DELAYIMP ref: 00007FF646DB15C9

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: 14b799bbe9d4573d8766a73c17f756f62dc596d0ce66e634427936b5451eec53
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: 5811D760E0CA0781FB61BB05EC843B0E3A0AF18B49F140734C90FC62A9EF3FA895C644

Function 00007FF646D93EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D940BC: FindFirstFileW.KERNELBASE ref: 00007FF646D9410B
Part of subcall function 00007FF646D940BC: FindFirstFileW.KERNELBASE ref: 00007FF646D9415E
Part of subcall function 00007FF646D940BC: GetLastError.KERNEL32 ref: 00007FF646D941AF

FindClose.KERNELBASE(?,?,00000000,00007FF646DA0811), ref: 00007FF646D93EFD

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: be997a304a81245f91864e043202e87c93ef9e9d45771eb3a9a045e9c36313cd
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 73F0AF7290C281C5EB10BF75A120279B7609B1ABBCF191339EA3D472D7CE29D4888744

Function 00007FF646D92490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF646D924A2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 4c94b7e4ff52e4ad6d10a6dbc4711f47f5eeac36743ded376101588d0411b5d5
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: B3D01212D1E451C2EE10BB369C6103C6350AFA6739FA40730D63EC16E1CE1E949AAB11

Function 00007FF646D97FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF646D97FD2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 020e4544a1179d2fc6c1d02a13291f31f24de3a59f9893b178cf17f744e4a158
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 38C08C20F0A502C1EF087B26C8C901813A4BB40B08F604234D10DC1120CE2EC4EEA345

Function 00007FF646DBFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF646DBFA59

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 583e80f921a6045215bd535a3443a0f7a7ae144660506b372e476154cbbe5030
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 85F09054F0E30749FE5C7B629911BB8D2805F49F80F0C5630C90ECA3C9ED2EE6818610

Function 00007FF646D920D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000001,00007FF646D9207E), ref: 00007FF646D920F6

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: c17abc1a3fc947d871a2535dda5e7a2cb5dfe90763ce1f5cfaf20bbf7a142139
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 21F0AF22A1C68285FB24BF20E451379A660EB15B7CF485334D73D811D4CF2AD8A9C300

Function 00007FF646DBD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF646DBD98A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: fa1e939bc4c7539475cced27dac14e8d3da6b01aad4282a55baed86d8915154d
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: F0F03051F0D24745FF547BB158617B5D6905F88FA0F485731DD6FC62C9DE2EE4808211

Non-executed Functions

Function 00007FF646D8C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D8DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF646D8CF4B), ref: 00007FF646D8DE27
Part of subcall function 00007FF646D8DE04: GetLastError.KERNEL32 ref: 00007FF646D8DE88
Part of subcall function 00007FF646D8DE04: CloseHandle.KERNEL32 ref: 00007FF646D8DE9B

wcscpy.LIBCMT ref: 00007FF646D8CBC8
wcscpy.LIBCMT ref: 00007FF646D8CBFE
CreateFileW.KERNEL32 ref: 00007FF646D8CC38
DeviceIoControl.KERNEL32 ref: 00007FF646D8CD01
CloseHandle.KERNEL32 ref: 00007FF646D8CD12
GetLastError.KERNEL32 ref: 00007FF646D8CD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF646D8CD7D
DeleteFileW.KERNEL32 ref: 00007FF646D8CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8CED7

Strings

\??\, xrefs: 00007FF646D8C392, 00007FF646D8C3B8
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF646D8C34F
UNC\, xrefs: 00007FF646D8C53F, 00007FF646D8C55D
SeRestorePrivilege, xrefs: 00007FF646D8C343

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: f1e6eec8ecbe5e09d381db8a89365ebfa2c377f5d47fbbeb23eb751c6f3faf25
Instruction ID: 237788fd9754ea33b5f8a83e64bf884772f41ba226e1abf0d86cf4ce9fd32655
Opcode Fuzzy Hash: f1e6eec8ecbe5e09d381db8a89365ebfa2c377f5d47fbbeb23eb751c6f3faf25
Instruction Fuzzy Hash: 0F62A1A2F1C64285FB00BB74D4493BDA361AB857A8F505331DA6D97AE9DF3DE189C300

Function 00007FF646D9F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF646DA0528

Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB67
Part of subcall function 00007FF646D9AAE0: LoadStringW.USER32 ref: 00007FF646D9AB80

Part of subcall function 00007FF646DAB0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF646DA0429), ref: 00007FF646DAB110
Part of subcall function 00007FF646DAB0DC: SetLastError.KERNEL32 ref: 00007FF646DAB153

Part of subcall function 00007FF646D8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA0490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA0496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA04F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA0532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA0538

Strings

%s: %s, xrefs: 00007FF646D9FC11
%ls, xrefs: 00007FF646D9F3AC, 00007FF646D9F3FF

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: 9a779180c2f6beaa19fabe2452816d46f3d0bc12dac556602175926542dd33a8
Instruction ID: 23fa9689146ec25a5d2e4db1ab13d71b531fbfb7134cf84b9f8b0c645f57bd22
Opcode Fuzzy Hash: 9a779180c2f6beaa19fabe2452816d46f3d0bc12dac556602175926542dd33a8
Instruction Fuzzy Hash: 6EB2A863A1C68282EA14BB25D4552BEE311FFDA794F104336E69D83BEAEF6DD544C300

Function 00007FF646DC2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DC2C12
memcpy_s.LIBCMT ref: 00007FF646DC35BF
memcpy_s.LIBCMT ref: 00007FF646DC3666

Part of subcall function 00007FF646DC38BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646DC38EE

memcpy_s.LIBCMT ref: 00007FF646DC372F

Part of subcall function 00007FF646DBD008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBD02D

Strings

1#QNAN, xrefs: 00007FF646DC37E8
1#INF, xrefs: 00007FF646DC3807
1#SNAN, xrefs: 00007FF646DC37C9
1#IND, xrefs: 00007FF646DC37AA

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: cdf5675173772ee4f436842bc8a7232a311835019b36a77c4674ab418948b5ac
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: BBB2D672E0C2868BE735BE69D4407F9B7A1FB44788F515235DA0B97B88DF3AE5048B40

Function 00007FF646D91A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF646D91A97
GetLongPathNameW.KERNEL32 ref: 00007FF646D91AE0
GetShortPathNameW.KERNEL32 ref: 00007FF646D91B21
GetShortPathNameW.KERNEL32 ref: 00007FF646D91B6A

Part of subcall function 00007FF646DA13C4: CompareStringW.KERNEL32 ref: 00007FF646DA13E3

MoveFileW.KERNEL32 ref: 00007FF646D91DFE
MoveFileW.KERNEL32 ref: 00007FF646D91E65

Part of subcall function 00007FF646D92134: CreateFileW.KERNEL32 ref: 00007FF646D9223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D91FED

Strings

rtmp, xrefs: 00007FF646D91CF4, 00007FF646D91D03

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 6844fc52beb637c2b27de38a8f1773b81546f1263b6adb3febe2d016913ca72a
Instruction ID: bd2f2cc962e09be6ed4f916f375ae8638f8513023160b206c3845fa8164c65c1
Opcode Fuzzy Hash: 6844fc52beb637c2b27de38a8f1773b81546f1263b6adb3febe2d016913ca72a
Instruction Fuzzy Hash: F1F1B122B1CA4281EB10FF65D8941BDA761FB897C8F501236EA4DC3AA9DF3DD588C740

Function 00007FF646D95B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF646D95BC2
GetFullPathNameW.KERNEL32 ref: 00007FF646D95C0E
GetFullPathNameW.KERNEL32 ref: 00007FF646D95D2B
GetFullPathNameW.KERNEL32 ref: 00007FF646D95D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D95EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D95EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D95EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D95EF2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction ID: 89f48c24daa76f57560ed5e4e594a492d810ffd9875a9b2f41c24d0967ab5f12
Opcode Fuzzy Hash: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction Fuzzy Hash: 7CA1C362F18A5284FF00BB7988541BDA761AB45BE8F145335DE2D97BD8DE3EE8458300

Function 00007FF646DB3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF646DB318C
RtlCaptureContext.KERNEL32 ref: 00007FF646DB31B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF646DB31D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF646DB3214
IsDebuggerPresent.KERNEL32 ref: 00007FF646DB3268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF646DB3289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF646DB3294

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 690d9e77e3b4410b4e3cea2a6559a8ab7020765779cc88ddf77f6e24f1805563
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 99316172609B818AFB60AF60E8507EDB364FB84B44F44453ADA4E87B98DF3DD548C710

Function 00007FF646DB76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF646DB7751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF646DB7769
RtlVirtualUnwind.KERNEL32 ref: 00007FF646DB77A4
IsDebuggerPresent.KERNEL32 ref: 00007FF646DB77DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF646DB77E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF646DB77F2

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 5f10aecb65bd6f9050c0ed2bbeb6c57a59219b394efa1a4c84906f290e1b8870
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 0E31743660CB8186E760EF25E8406AEB7A4FB84B54F540236EE8D83B99DF3DD555CB00

Function 00007FF646D81AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D81EBB

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: de7e979c67e4817373834f9f72e386e265cdabefc4602517d7b45e75046ae0e2
Instruction ID: 12782a4e4160361e58ad5d1598007a62c39992ec3299bb4e95500b022259dca0
Opcode Fuzzy Hash: de7e979c67e4817373834f9f72e386e265cdabefc4602517d7b45e75046ae0e2
Instruction Fuzzy Hash: EEB1D762B1868655EB10BB65DC482EDA361FF89784F402331DA6C87BE9DF3DD548C300

Function 00007FF646DBFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBFAC4

Part of subcall function 00007FF646DB7934: GetCurrentProcess.KERNEL32(00007FF646DC0CCD), ref: 00007FF646DB7961

Strings

., xrefs: 00007FF646DBFEE4
*?, xrefs: 00007FF646DBFAEB

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: ccf5deacf73d981d1d8110bf6160b2e8ed40389234723c865e2c1285888dd8de
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: E951F266B18B9581EF14FFA298504B8A3A4FB48FD8B444632DE5D97B89DE3DD0428300

Function 00007FF646DC2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF646DC210B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 59b700944e5499a29a168783f55825faf2bddb4bf75cd13dcd91b89f686a9ae3
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 40D18332B1C68A87DB74EF15A18466AF7A1F798784F148234DB4E97B44DE3EE941CB00

Function 00007FF646D8B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF646D8BA9D), ref: 00007FF646D8B6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF646D8BA9D), ref: 00007FF646D8B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF646D8BA9D), ref: 00007FF646D8B743

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 82a9f3fb0bc66add403f59a12e3ac601bbaf71dc5ebbbec7f220e62064e9028b
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 62016271A0C78682E710BF23B85457AE791FB89BC0F085134EA9E87B59CF3DD5049700

Function 00007FF646DBFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF646DBFEE4

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: d6ce0b540563b4b5b1cd4ed29586a3aba98117c8d2087b368aa9450b3d00a0f2
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: 9631FB22B0C69545FB64BB36A8057B9EA91EB94FE4F148335EE5C87BC9CE3DD5018300

Function 00007FF646DC5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF646DC5D45
RaiseException.KERNEL32 ref: 00007FF646DC5D56

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: eb8b735d35664509a1c6ccbb5f0f7033cc8a009c82c7ea8113d96e9172da1120
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: F5B13F73614B898BEB15EF29C84536C7BA0F784B58F158A31DA5E877A4CF3AD861C700

Function 00007FF646DA8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646DA85E0: GetDC.USER32 ref: 00007FF646DA85EC
Part of subcall function 00007FF646DA85E0: GetDeviceCaps.GDI32 ref: 00007FF646DA85FD
Part of subcall function 00007FF646DA85E0: ReleaseDC.USER32 ref: 00007FF646DA860A

GetObjectW.GDI32 ref: 00007FF646DA8E48

Part of subcall function 00007FF646DA90B0: GetDC.USER32 ref: 00007FF646DA90D9
Part of subcall function 00007FF646DA90B0: GetObjectW.GDI32 ref: 00007FF646DA9107
Part of subcall function 00007FF646DA90B0: ReleaseDC.USER32 ref: 00007FF646DA91BB

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 58ce2480b447a75a7f197c75b1193f0097e158503def6223be738321f1ae5b1c
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: 0F811C76B1CA1586EB20EF6AD4406ADB771FB88B88F004232DE0E97768DF7AD545C740

Function 00007FF646DAA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF646DAA315
GetNumberFormatW.KERNEL32 ref: 00007FF646DAA371

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: a21ee3001a8bd3c2482c60a2c73277ae14023dfae6f1f48135c219c285961544
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: F3116D32A0CB8595E7A1BF11E8107E9B360FF88B48F844235DA4D83668DF3DE145CB44

Function 00007FF646D9126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D924C0: CreateFileW.KERNELBASE ref: 00007FF646D9259B
Part of subcall function 00007FF646D924C0: GetLastError.KERNEL32 ref: 00007FF646D925AE
Part of subcall function 00007FF646D924C0: CreateFileW.KERNEL32 ref: 00007FF646D9260E
Part of subcall function 00007FF646D924C0: GetLastError.KERNEL32 ref: 00007FF646D92617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D915D0

Part of subcall function 00007FF646D93980: MoveFileW.KERNEL32 ref: 00007FF646D939BD
Part of subcall function 00007FF646D93980: MoveFileW.KERNEL32 ref: 00007FF646D93A34

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction ID: abeba160e729f1188fd23370bc81bffef6a9fabb2fafac3cc9601a68df6773fc
Opcode Fuzzy Hash: b6c9c40237190830a1427cc90f699f3ed679a8c4b0b9819d305839f030af1316
Instruction Fuzzy Hash: 2291B122B2C64682EB50FF62D8542BDA361FB58BC8F405232EE0D87B95DE3ED549C740

Function 00007FF646D951A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF646D951D5

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction ID: 0fecdaa7274cdd82a852227bf0a738457e5a04344d66a586cd09fdf9dddbd43d
Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction Fuzzy Hash: E50113B1A0CA428AF664BB10E85077AB6A1FB98318F500334D65D82B94DF3EE8048E00

Function 00007FF646DB8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF646DB8DD3

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: bc1c34fde526836a70aa72b195ebb0f63729521d7afd9dce558f114ead788d0c
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: 8781D621A1C2428AEBA8BA15A48067DA390EF91F44F541737DD09DB69DCF3FE845C741

Function 00007FF646DB89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF646DB8B3A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: a67afc4facc5ba057791de2247d0ce86079b8305fb53327b9d9469c1c008208b
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: 07710721A0C28346FBA8BA2990406BDE7909F42F44F181735DD0DDB7DECE2FE8468B45

Function 00007FF646D9C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF646D9C97B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: c030e150d7e9b98ba88349c756ca80fa9cb43b1afd2e23d02888cd8363fab0cb
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: C55191777286908BD764CF25E410A9EB3A5F388758F445226EF4A93B09CB39E945CF40

Function 00007FF646DBC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF646DBC874

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: 1ada4361b2a4dea218821560fd16989f5aca6720872ac6acff80394ff7376c1b
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 2841CEA2718A4586EF44EF2AE5142A9B3A1FB58FD4B499236DE1DC7758DE3DD042C300

Function 00007FF646DC0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF646DC0D24

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: ea2eb3469b467e2475e2d10b1388c389a68b8f62938d8bb92ee6dacd21ebedc6
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: 30B09220E1BE06C2EA083B11AC82294A2A4BF48700F949138C10DC1320DE3E20AA4700

Function 00007FF646DA3964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: 33dbc584e7a70f8062f1010b40e2ad1ac36795867c1c7f91c89e926391f9922b
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: 8782F473A0D7C186DB15EF28D4046BCBBA2E755B88F19823ACA4E87785DE3ED945C310

Function 00007FF646D876C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: 5e2a982efcfffa15b96106223a562cb4d3c607105c820a05a3c43a3d41d88381
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: AC627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF646DA53F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: d5e13f5cc816695c6ed80f542c89cba64396c5b34b4d717ad87b8ce6f78a3e4d
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: 2B82E0B3A0D6C18ADB15EE28D4446FCBBA1E755B48F098236CA4D87789DE3ED885C710

Function 00007FF646D9BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 3dcd8908a6d7b37ddc94f3e077d0964f25874c17ca224a5d373488a40069126e
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: 2D22E573B246508BD728CF25C89AE5E3766F798744B4B8228DF0ACB789DB39D505CB40

Function 00007FF646DA4B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: f24b8644580a42171fba6de4be0210a02b602884a85c1b39164bdded35142500
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 9B32B173A0C6918BE718EF24D550ABC77A1F794B48F058239DA4A87B88DF3DE865C740

Function 00007FF646D87288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: b84bafced2c0499eae56aa8f662cc7f3dc99707cf6fcdfe06149bba7d2240731
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: 5AC1ADB7B281908FE350CF7AE400A9D7BB1F39878CB51A125DF59A3B09D639E645CB40

Function 00007FF646DA2D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 6fb8f3d6340716ea82d2e50b4887920e50c836f10e156259a2def924a8c4dc0d
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: 7EA10473B0C18287EB25FE36D4447B9A692EB90748F594735DA4AC7786CE3EE981C340

Function 00007FF646D9AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 88bf67e04a677973dc4af75edeb60e1e61efd65ef0e0931667aca4aaecbb90bb
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: 40C10673A291E08DE302CBB5A4348FD3FF1E71E34DB4A4251EF9666B4AC6295205DF60

Function 00007FF646D8A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: 2f8f876ad0420b0e0a5bd1bf9df00e38a2b8cada35cfe3083ffe72bc9f6b7e25
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 98912162B1C58196EB11FF29D4502FDA721FF95B88F441231EF4E87659EE3AE64AC300

Function 00007FF646D9B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 5f3790f0565d96ae59c7e2953d669d441ca1597bd7c22a35de7b4a91a0c17635
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: 95611763F1C1D189EB01EF7585104FEBFB1AB49788B464232CE9997646CE3EE509CB50

Function 00007FF646DA21D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: f10eb0593905aaf4824605c977895beecc264a1bf75366c1aa1b618946f14045
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: 25513673B2C1614BE728AF2AD0047BDB761FB90B48F494234DB4987688DE3EE545CB00

Function 00007FF646DA2AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: 82e1d961f2c1db69b11900c37e3f1b5a25867017ddc00a09e34830570a9c7527
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: DE31B2B2A1C6818BD718FE2696A02BEB791B744344F048239DF4AC7B42DE3DE445C700

Function 00007FF646DC58E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction ID: cd575b04b22dac7bdda592ac1c477537b4a95a9639459da39937af27922c36b9
Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction Fuzzy Hash: CEF068B1B1D6558BDBA5FF29E442629B7D0F708380F548139D58DC7B08DA3D94608F04

Function 00007FF646DB3354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: be0f0106aaf3c7182add355d65803dd277ec44b9e9718d7f5251cda70d65c36a
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: A4A0027190CC46D0F744BB10E860871A730FB50700B511231F00EC21A8DF3EA401D304

Function 00007FF646D8D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D964

Strings

::$LOGGED_UTILITY_STREAM, xrefs: 00007FF646D8D85F
::$OBJECT_ID, xrefs: 00007FF646D8D880
::$ATTRIBUTE_LIST, xrefs: 00007FF646D8D7FC
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF646D8D849
::$INDEX_ALLOCATION, xrefs: 00007FF646D8D83E
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF646D8D86A
::$FILE_NAME, xrefs: 00007FF646D8D833
::$INDEX_ROOT, xrefs: 00007FF646D8D854
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF646D8D875
::$EA, xrefs: 00007FF646D8D81D
::$BITMAP, xrefs: 00007FF646D8D807
::$DATA, xrefs: 00007FF646D8D812
::$EA_INFORMATION, xrefs: 00007FF646D8D828
::$REPARSE_POINT, xrefs: 00007FF646D8D88B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction ID: 88eab69392e56f5e1b09e25f7cb382c984ec3e0663f1b475b48f349121f4bd3f
Opcode Fuzzy Hash: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction Fuzzy Hash: 4041E636B09B0599FB00BF60E4843E973B9EB48798F401236DA5D83BA8EF3AD155C340

Function 00007FF646DB2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF646DB2A26
GetModuleHandleW.KERNEL32 ref: 00007FF646DB2A33
GetModuleHandleW.KERNEL32 ref: 00007FF646DB2A48
GetProcAddress.KERNEL32 ref: 00007FF646DB2A60
GetProcAddress.KERNEL32 ref: 00007FF646DB2A73
CreateEventW.KERNEL32 ref: 00007FF646DB2A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF646DB2AEB
CloseHandle.KERNEL32 ref: 00007FF646DB2AFD

Strings

kernel32.dll, xrefs: 00007FF646DB2A41
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF646DB2A2C
WakeAllConditionVariable, xrefs: 00007FF646DB2A66
SleepConditionVariableCS, xrefs: 00007FF646DB2A56

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: d76768163ce39ef6343f438d4f2f160512bf081b7c1c597c592081748c2480db
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: 37210C65E1DA0781FF55BF55E855974E3A0AF48B81F840735C91FC26A8DE3EE445C700

Function 00007FF646D96A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970A6

Part of subcall function 00007FF646D82004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF646D8200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D970DC

Strings

UNC, xrefs: 00007FF646D96BBF
DXGIDebug.dll, xrefs: 00007FF646D96A18
\\?\, xrefs: 00007FF646D96A57, 00007FF646D96A66

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction ID: 4ceeb4c646e9b4740b3d1cde0e88cea3a79ce04481f821ce8f1ae1c79e8c0154
Opcode Fuzzy Hash: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction Fuzzy Hash: 6E12AC22B0CA8280EF10FB65D8641ADA371EB85B98F505335DA6D87BE9DF3ED549C340

Function 00007FF646DAA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF646D81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAA747
EndDialog.USER32 ref: 00007FF646DAA7BA

Strings

Software\WinRAR SFX, xrefs: 00007FF646DAA52B, 00007FF646DAA53A
GETPASSWORD1, xrefs: 00007FF646DAA773

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction ID: f1a7f36a4a3572d774fd7308a363c2635fba9973c20c2499639787ca7f0eb272
Opcode Fuzzy Hash: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction Fuzzy Hash: 9DB1BD62F1DB8285FB00BBA4D4442BDA372AB85798F444336DA1DA6BD9DF3EE445C340

Function 00007FF646DA6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF646DA7E9B), ref: 00007FF646DA7080
CreateStreamOnHGlobal.COMBASE ref: 00007FF646DA70B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA7187

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF646DA6F2C, 00007FF646DA6F3B
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF646DA6ED5, 00007FF646DA6EE4
</html>, xrefs: 00007FF646DA6F72, 00007FF646DA6F81
<html>, xrefs: 00007FF646DA6F13

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2868844859-1533471033
Opcode ID: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction ID: deacda46990671da16d99c8a8a75e7021a22548b127e9d2956eaf026ee383c39
Opcode Fuzzy Hash: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction Fuzzy Hash: C9819F62F1CA4685FB00FBA5D8502FDA371AF49B88F401235DE1D9769AEE3AD50AC344

Function 00007FF646DBE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBE7CD

Strings

nan, xrefs: 00007FF646DBE6B8
INF, xrefs: 00007FF646DBE6C3
NAN(IND), xrefs: 00007FF646DBE6FB
NAN, xrefs: 00007FF646DBE6B1
NAN(SNAN), xrefs: 00007FF646DBE6E5
nan(snan), xrefs: 00007FF646DBE6F0
nan(ind), xrefs: 00007FF646DBE706
inf, xrefs: 00007FF646DBE6D6

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 4f9e6da3d3bea7ca4d2f52a8e0fa97c9095ac30d6f457ead2aa0c70b130a6292
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: EB41AF72A09B4589EB04EF25E8417ED73A4EB18798F014636EF5D87B58DE3ED025C344

Function 00007FF646DAAE90 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF646DAAEAE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ItemTextWindow
String ID: LICENSEDLG
API String ID: 2478532303-2177901306
Opcode ID: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction ID: 9be95f254907f2aa1dc80d3a652935b62756fc9e1e9d773b9558843365730ea9
Opcode Fuzzy Hash: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction Fuzzy Hash: 2C417C65B0CA5282FB54BB52E854779E3A1EF85B85F084335D90E83BA4CF3EE546C704

Function 00007FF646DAF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF646DAF3CF
GetClassNameW.USER32 ref: 00007FF646DAF3FC
GetWindowLongPtrW.USER32 ref: 00007FF646DAF41D
SendMessageW.USER32 ref: 00007FF646DAF437
GetObjectW.GDI32 ref: 00007FF646DAF452
SendMessageW.USER32 ref: 00007FF646DAF487
DeleteObject.GDI32 ref: 00007FF646DAF490
GetWindow.USER32 ref: 00007FF646DAF49E

Strings

STATIC, xrefs: 00007FF646DAF402

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassDeleteLongName
String ID: STATIC
API String ID: 2845197485-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: adc7f322a75b824fb4c07d821ad041e1f94c94341a04debb97a861282515ca26
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: D6318F26B0CA4286FA64BB12E5547B9E3A1FF89BC0F040630DD4D87B5ADE3EE4068740

Function 00007FF646D9B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF646D9BA12
GetProcAddress.KERNEL32 ref: 00007FF646D9BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF646D9BACA

Part of subcall function 00007FF646D9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF646D9DDDF

Strings

CryptProtectMemory, xrefs: 00007FF646D9BA08
CryptUnprotectMemory failed, xrefs: 00007FF646D9BAC1
Crypt32.dll, xrefs: 00007FF646D9B9F0
CryptUnprotectMemory, xrefs: 00007FF646D9BA1F
CryptProtectMemory failed, xrefs: 00007FF646D9BA80

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: 4b3e02f83fb4681ee58641c1cad9c5fef19692de697c2f71e140eaf133577941
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: 34316B20E0DB06C0FB55BB16E86497AE7A0AF54B94F051335C81E873A4DEBEE549C300

Function 00007FF646DA87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DA8DE0

Strings

, xrefs: 00007FF646DA88BE
, xrefs: 00007FF646DA8A55

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: c3d23b65519d6b0e16bf2cf387636935753ce78294b0e94f23a44a4be1d6057b
Instruction ID: 69af2e50130a4e5b0b3902c680e5a611bdc40a1ea9fbd4e54e9ccacf4744ed9e
Opcode Fuzzy Hash: c3d23b65519d6b0e16bf2cf387636935753ce78294b0e94f23a44a4be1d6057b
Instruction Fuzzy Hash: 89F1AE62F1D64684EF10BB65D4482BDA362AB84B98F405731CE6D97BD9DF7EE180C340

Function 00007FF646DB57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF646DB598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646DB5CAD
abort.LIBCMT ref: 00007FF646DB5CE1

Strings

csm, xrefs: 00007FF646DB58D1
csm, xrefs: 00007FF646DB59B1
csm, xrefs: 00007FF646DB5933

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: ddb5ec5882a9bf0986daea5077c3098d7c1ab9565ffbceff74af6d0a0bb5d938
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: DDE19072A1C7828AE721FF25D4813ADB7A0FB45B58F144235DA8D9779ACF39E885C700

Function 00007FF646D94F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D94E24: SysAllocString.OLEAUT32 ref: 00007FF646D94E5F

VariantClear.OLEAUT32 ref: 00007FF646D95125

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF646D95017
WQL, xrefs: 00007FF646D9502A
Name, xrefs: 00007FF646D950F9
ROOT\CIMV2, xrefs: 00007FF646D94F7B
Windows 10, xrefs: 00007FF646D9510A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 490086f6449ee6b412b2c037ecc91d5651eeca9363bbc2e8a7d0a01f152d6964
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 0C712F36A18B15C5EB20EF25D8905ADBBB4FB84B98F445232DA4E87B64CF3ED544C300

Function 00007FF646DB72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF646DB74F3,?,?,?,00007FF646DB525E,?,?,?,00007FF646DB5219), ref: 00007FF646DB7371
GetLastError.KERNEL32(?,?,00000000,00007FF646DB74F3,?,?,?,00007FF646DB525E,?,?,?,00007FF646DB5219), ref: 00007FF646DB737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF646DB74F3,?,?,?,00007FF646DB525E,?,?,?,00007FF646DB5219), ref: 00007FF646DB73A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF646DB74F3,?,?,?,00007FF646DB525E,?,?,?,00007FF646DB5219), ref: 00007FF646DB73EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF646DB74F3,?,?,?,00007FF646DB525E,?,?,?,00007FF646DB5219), ref: 00007FF646DB73FB

Strings

api-ms-, xrefs: 00007FF646DB7391

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 6c6cffa771b1434d78d6a5b5de7dc910eb879faf68ae786800b856a334cfd839
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 6631C421B1EA4292FF11BB16A800979A794FF48FA0F594735DD2D8B798DF3EE4418710

Function 00007FF646DB1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF646DB1573,?,?,?,00007FF646DB192A), ref: 00007FF646DB162B
GetProcAddress.KERNEL32(?,?,?,00007FF646DB1573,?,?,?,00007FF646DB192A), ref: 00007FF646DB1648
GetProcAddress.KERNEL32(?,?,?,00007FF646DB1573,?,?,?,00007FF646DB192A), ref: 00007FF646DB1664

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF646DB1653
AcquireSRWLockExclusive, xrefs: 00007FF646DB163E
KERNEL32.DLL, xrefs: 00007FF646DB1624

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 3396c882a6fcc544ad91896d054a65523850272455a52f55e0857bb91202ca66
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 23111B30A1EB0681FE65BB05FE40274D2A5AF0DB94F5C5735C81E8639CEE3EE4848640

Function 00007FF646D9ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D951A4: GetVersionExW.KERNEL32 ref: 00007FF646D951D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF646D85AB4), ref: 00007FF646D9EE05

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 8ad3dc2834196ad47250bef00aee0f6b889d0412bfea53eb059da5b7fa0bb8ee
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: EA519CB2B04651CAEB14EFA8D4545ACB7B1FB48B88B60413ADE0E97B58DF39E545C700

Function 00007FF646D9F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF646D9F074

Part of subcall function 00007FF646D951A4: GetVersionExW.KERNEL32 ref: 00007FF646D951D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF646D9F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF646D9F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF646D9F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF646D9F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF646D9F0CE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: be77b9ac2c0746b6629543f5842bfad7ddfe105eb81e82c2243efb7eeef0b499
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: D6313A62B14A51CEFB14EFB5D8901ACB770FB08758B54513AEE0EA7A58EF38D895C700

Function 00007FF646D97918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D97C8C

Strings

sfx, xrefs: 00007FF646D979F3, 00007FF646D97A02
exe, xrefs: 00007FF646D979AF, 00007FF646D979BE
rar, xrefs: 00007FF646D97A9B, 00007FF646D97AAA, 00007FF646D97B67, 00007FF646D97B7C
.rar, xrefs: 00007FF646D97969, 00007FF646D97978

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction ID: 863c196cf2298f5efe627192a1cce0c5177b0d8ee21e3cd8d31070bb9d2f1788
Opcode Fuzzy Hash: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction Fuzzy Hash: EFA1AF22A1CA0680EB04BF25D8656BCA361BF45B9CF541335DE1E876E9DF3EE589C340

Function 00007FF646DB5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF646DB5D58

Part of subcall function 00007FF646DB5210: abort.LIBCMT ref: 00007FF646DB5223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF646DB5DA3
abort.LIBCMT ref: 00007FF646DB5FD1

Strings

MOC, xrefs: 00007FF646DB5D6C
RCC, xrefs: 00007FF646DB5D74

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: d6858c9afc0feba2e7a50b68852582ad998be8763f40dff09f5817a7e3f93616
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: DF91A173A08B818AE711EF65E8802ADBBA0F744B88F144239EF4D97759DF39D595C700

Function 00007FF646DB4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646DB4FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF646DB5040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF646DB2F5E), ref: 00007FF646DB508F

Strings

csm, xrefs: 00007FF646DB5026
f, xrefs: 00007FF646DB4FBE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 93eb0c476904d3a7393e154d9206efeb23d7cfa1c69c93e127931ed37e394fdc
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 8F51BE32A1D6028AEB54FF16E844A29B795FB40FC8F548230DA5E8778CDF7AEC418740

Function 00007FF646D8CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF646D8D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D0D7

Part of subcall function 00007FF646D8DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF646D8CF4B), ref: 00007FF646D8DE27
Part of subcall function 00007FF646D8DE04: GetLastError.KERNEL32 ref: 00007FF646D8DE88
Part of subcall function 00007FF646D8DE04: CloseHandle.KERNEL32 ref: 00007FF646D8DE9B

Strings

SeRestorePrivilege, xrefs: 00007FF646D8CF5E
SeSecurityPrivilege, xrefs: 00007FF646D8CF3F

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction ID: 6560c872d8eb9abbce2b6501605269fe84aa01876f6cca0a611e5b77025ed237
Opcode Fuzzy Hash: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction Fuzzy Hash: 2251D362F1C74285FB10FB65D8456BDA360AF947A4F041335DE6E936E6DE3EA485C300

Function 00007FF646DA7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF646DA7B6F
GetWindowRect.USER32 ref: 00007FF646DA7BC0
ShowWindow.USER32 ref: 00007FF646DA7C96
ShowWindow.USER32 ref: 00007FF646DA7CC3

Strings

RarHtmlClassName, xrefs: 00007FF646DA7C4B

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 2556132b3669e06fd82c4edcfb73ee53acbff31ec70f5bbfd324b20a510b6699
Instruction ID: 8cafc0e5f4c0deab5dfff9015de5f036b51e0624467f34896c9955bde149ba97
Opcode Fuzzy Hash: 2556132b3669e06fd82c4edcfb73ee53acbff31ec70f5bbfd324b20a510b6699
Instruction Fuzzy Hash: 2C517326A0DB4286EB24BF26E45437AE3A1FF85B80F044635DE4E87B55DF3EE4458B00

Function 00007FF646DAFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF646DAFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF646DAFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646DAFE1B

Strings

sfxcmd, xrefs: 00007FF646DAFD3C
sfxpar, xrefs: 00007FF646DAFDB5

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction ID: f4b4add9e0f6aba9a27ab286226a7c11b75878f9ef97e5c96148b5e840f9ec24
Opcode Fuzzy Hash: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction Fuzzy Hash: FB316D72A1CA0684FF04BB65E8841ACA371FB88B98F140636DE5E977A9DF39D046C344

Function 00007FF646DAFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00007FF646DAFF60
REPLACEFILEDLG, xrefs: 00007FF646DAFF34, 00007FF646DAFF99

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 3cf293724bd241a863f02e00eeaec4799aae65816bc785f6d8990eaeab02d7b3
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: A521F82590DF4B80FB54BB15F844174E3A0EB89B88F180676DA8DC7764DE3EE599C340

Function 00007FF646DBBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF646DBBFD0
GetProcAddress.KERNEL32 ref: 00007FF646DBBFE6
FreeLibrary.KERNEL32 ref: 00007FF646DBC00B

Strings

mscoree.dll, xrefs: 00007FF646DBBFC7
CorExitProcess, xrefs: 00007FF646DBBFDF

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 0761f0c4dc5e8117e0de6ce77dc50ff23848b99fecc15ba053ffab20799c7d4d
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: C2F062A1A1DA4681FF44BB11F450679A7A0FF88B90F441139E95F86668DF3EE485C700

Function 00007FF646DC45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DC4605

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 67f62baf7f24e7fdf0f8ba17abf79817f48aafcaf23d2bdc9150ec620eb6ec6f
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: BA81BE22E1CB5A89F720BB6598406BDA6A0BF45B98F404336DD0F93AD9DF3EA445C740

Function 00007FF646D93AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF646D93BBB
CreateFileW.KERNEL32 ref: 00007FF646D93C24
SetFileTime.KERNEL32 ref: 00007FF646D93CEC
CloseHandle.KERNEL32 ref: 00007FF646D93CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D93D2C

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction ID: e582d403d5f78572693e6d62276ec4614b0b03424b9ed22b795442f1a04e6cc1
Opcode Fuzzy Hash: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction Fuzzy Hash: 5A51A272B1CA4299FB50FF65E4603BDA371AB847ACF014735DE1D867E8DE3994598300

Function 00007FF646DC3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF646DC4767), ref: 00007FF646DC3F91
WideCharToMultiByte.KERNEL32 ref: 00007FF646DC406D
WriteFile.KERNEL32 ref: 00007FF646DC4093
WriteFile.KERNEL32 ref: 00007FF646DC40D2
GetLastError.KERNEL32 ref: 00007FF646DC410A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 379a27dcfc7deae5c6f9d90c4870dc7409466e7564b97801cec86189ae0f626d
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: 3751E132A18A5589F710EF25D4403ACBBB1FB54B98F048235DE4E97B98DF3AD156C700

Function 00007FF646DB1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF646D94DF4), ref: 00007FF646DB1E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF646D94DF4), ref: 00007FF646DB1F09
SysAllocString.OLEAUT32 ref: 00007FF646DB1F16

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction ID: 2822b8e8c7f8aacb496961a78f8db011cc6f33e9e1b56d0de0db77807e337bbd
Opcode Fuzzy Hash: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
Instruction Fuzzy Hash: DF419222A0D64689EB14BF269850279A291EF4CFA4F144734EA6EC7BDDDF3EE1418300

Function 00007FF646DBF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF646DBF536

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 1b263b246b489d75a23119920cad7b00cb414de9a70e562ac51389eac6a1731d
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 8441C262B0DA4281FA19BF16A904675E2D5BF58FE0F198735DD1ECB798EE3EE4408304

Function 00007FF646DC56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF646DC56FF
_set_statfp.LIBCMT ref: 00007FF646DC571A
_set_statfp.LIBCMT ref: 00007FF646DC5736
_set_statfp.LIBCMT ref: 00007FF646DC5772

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 85e8720f6cb827ff384e98827a5430ab6b8f10733a1cd38b5da641d8c93b4804
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 16110676E1CB0F81FA543168E5463798141AF543B0F48C330EA7FCA6D6CE6EACE06205

Function 00007FF646DAFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF646DAFE41
GetMessageW.USER32 ref: 00007FF646DAFE58
TranslateMessage.USER32 ref: 00007FF646DAFE63
DispatchMessageW.USER32 ref: 00007FF646DAFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF646DAFE7C

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: a4b00ba97e64a0edc2b4133b991023ef3a072dff7487f7e026b0355c20d472c1
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 47F01221F3C94682F754B760E455B7AA251FFE4B05F441530E54FC2994DF2DD689CB00

Function 00007FF646DB625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646DB6286
abort.LIBCMT ref: 00007FF646DB64EA

Strings

csm, xrefs: 00007FF646DB62AB
csm, xrefs: 00007FF646DB641A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 2bafe0c86d822baa8669e9255e7eba238b486b945e009e8d76ac24dbea7e7aac
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: B8718D62A0DAD18ADB60BF25985077DBBA0EB05F89F148236DA4C87B89CF2DD495C740

Function 00007FF646DB80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DB811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DB82ED

Strings

*, xrefs: 00007FF646DB8221
, xrefs: 00007FF646DB8276

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 27f2cab18d0a4518b14ed4bce6b0504b6922405ced3fd9f88eabf732d3fff3f5
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 8B513372D1DA428AE775BE28844537CBBA1FB06F59F181336C64A8529DCF3EE481C705

Function 00007FF646DC1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF646DC17CB
MultiByteToWideChar.KERNEL32 ref: 00007FF646DC1894
GetStringTypeW.KERNEL32 ref: 00007FF646DC18AE

Strings

$%s, xrefs: 00007FF646DC175A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: 2efe64d6dafd889b53a490ead4733908ad56ad47f26daec4a77b074678343e53
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 7541A122B1CB959AEB61BF65D8006A9A391FF48BA8F480335DE1E877C4DF3DE4458340

Function 00007FF646DB66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646DB5210: abort.LIBCMT ref: 00007FF646DB5223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646DB674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF646DB6776

Strings

csm, xrefs: 00007FF646DB6876

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 34ab705930ee32a3388b211f5dba253cc5c77e852560da0a0f75dcdf755be577
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 2F514B76A1D78187D620BF16E44126EB7A4FB89F90F140634EB8D87B99CF39E450CB40

Function 00007FF646DC4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF646DC4446
WriteFile.KERNEL32 ref: 00007FF646DC4479
GetLastError.KERNEL32 ref: 00007FF646DC449B

Strings

U, xrefs: 00007FF646DC4424

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 2f739ea85dcfce01967785931ded287cf823e21fda5154b310edb26e0ce18eee
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 3141B42261DB8582EB20AF25E4447B9B760FB98794F544231EE4EC7788DF7DD441C700

Function 00007FF646DA90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF646DA90D9
GetObjectW.GDI32 ref: 00007FF646DA9107
ReleaseDC.USER32 ref: 00007FF646DA91BB

Strings

, xrefs: 00007FF646DA9153

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: b60c1351231857d49382e678897b2c21def9c2d9b710a290845ac79330919a80
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: FD311836618B4286EA14EF13F81862AF7A1FB89FD1F504535ED4A83B58CE3DE449CB00

Function 00007FF646D9E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF646DA317F,?,?,00001000,00007FF646D8E51D), ref: 00007FF646D9E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF646DA317F,?,?,00001000,00007FF646D8E51D), ref: 00007FF646D9E8CB
CreateEventW.KERNEL32(?,?,?,00007FF646DA317F,?,?,00001000,00007FF646D8E51D), ref: 00007FF646D9E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF646D9E900

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: bcaa5684165a714876ddf8d002c845a57d91331fff738375442aa9d8a705e5ec
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: D221D232E1D60286F710BF24D4547AE76E2EF88B0CF188234CA0D8A295CF7F9459C780

Function 00007FF646DA85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF646DA85EC
GetDeviceCaps.GDI32 ref: 00007FF646DA85FD
ReleaseDC.USER32 ref: 00007FF646DA860A

Strings

, xrefs: 00007FF646DA8610

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 322372b3aa4420c3e8245df0f5dc7c9d39f515093ee2604a3e2c75539864e8bd
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: EBE08C20B0CA4282EB187BB6F58912AA261EB4CBD0F158135DA1A87798CE3DC4844300

Function 00007FF646D8D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF646D8D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8D560

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction ID: 3e89611423ee3ed8391701934838957e88ae8e8ed5065dd08e88abfddcb24de1
Opcode Fuzzy Hash: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction Fuzzy Hash: 47A1A462A1CB8681EA10FF65D8542BDA361FF85794F406332EA5D83AE9DF3EE544C700

Function 00007FF646DA0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF646DA05FC
SetLastError.KERNEL32 ref: 00007FF646DA0697

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5ccedb2c5f7bd69c3059bffbe8bdf76c6f23c3f2fe52f83280dfbc353a50fdd3
Instruction ID: f4450a8ed20090fc28131da84bbb8cbb91c8a31898475466b7ba2189133d814b
Opcode Fuzzy Hash: 5ccedb2c5f7bd69c3059bffbe8bdf76c6f23c3f2fe52f83280dfbc353a50fdd3
Instruction Fuzzy Hash: 7951AF62F1CA4695FB00BF65D4452BCA321EB88B9CF404336DA1D97BEADE29D145C340

Function 00007FF646DA9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF646DA9DBC
GetLastError.KERNEL32 ref: 00007FF646DA9E08
CreateDirectoryW.KERNEL32 ref: 00007FF646DA9F10
LocalFree.KERNEL32 ref: 00007FF646DA9F20

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction ID: 70de756aa4969f1698505267d02d29b34722dbca00a42bd2ff6fef429a56da34
Opcode Fuzzy Hash: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
Instruction Fuzzy Hash: 6251543262CB4286EB50AF62E84476DB774FB84B84F501235EA4E97A58DF3DD544CB40

Function 00007FF646DBDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBDBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF646DBDC81
GetLastError.KERNEL32 ref: 00007FF646DBDCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBDCD6

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: af563219d16a0331457f972cc6d1754db4c098d0dc51cea05db0127f18722c7e
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: 50418032A0C68246FB65BF11D140379E6A0EF98F90F158236DA5E87ADDDF7EE8418700

Function 00007FF646D93980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF646D939BD
MoveFileW.KERNEL32 ref: 00007FF646D93A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D93AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D93AF1

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction ID: c4ac0e7f463cd78363a0df85e683ee3a1344b8aa18807c7b6824a091a6979670
Opcode Fuzzy Hash: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction Fuzzy Hash: 87419D62F18B5184FF00FF69D8555AC6371BB44BA8B005335DE5EA7AA9DF39D445C300

Function 00007FF646DC0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF646DBC45B), ref: 00007FF646DC0B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF646DBC45B), ref: 00007FF646DC0BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF646DBC45B), ref: 00007FF646DC0C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF646DBC45B), ref: 00007FF646DC0C57

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: cf6634fed971d93d925148fa76d7d90e4eeb8404de1a412d5a880947bf129b95
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 95216131B1CB5581EA24BF126540029F6A5FB94FD0B484235DE9FA3BA4DF3EE4528704

Function 00007FF646DBD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF646DB7F28,?,?,?,00007FF646DB9D35), ref: 00007FF646DBD44A
SetLastError.KERNEL32(?,?,?,00007FF646DB7F28,?,?,?,00007FF646DB9D35), ref: 00007FF646DBD4B2
SetLastError.KERNEL32(?,?,?,00007FF646DB7F28,?,?,?,00007FF646DB9D35), ref: 00007FF646DBD4C8
abort.LIBCMT ref: 00007FF646DBD4CE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 52907dd69b03d9ba9cb1a0e7f356094d6a509063eb24883e5e4801c51055724e
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: 05014824B0D64642FA58BB22A65657C91A19F48F90F14473AD92FC27DEED2FF8048600

Function 00007FF646DA8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF646DA8598
GetDeviceCaps.GDI32 ref: 00007FF646DA85AE
GetDeviceCaps.GDI32 ref: 00007FF646DA85C2
ReleaseDC.USER32 ref: 00007FF646DA85D3

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: c207bd4ade2d758b97a40d85be6128d2d07585cd481708018164e22126e36b3b
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 76E0ED60F0DA0282FF58BBB2E85913AE190EF58B41F484639CC1FC6360DD3EA085C610

Function 00007FF646D8E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D8E549

Strings

DXGIDebug.dll, xrefs: 00007FF646D8E35A

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 959b456e8a22be6a5b0903782329af9a84473569178788a0c59be25aa0c6c2c3
Instruction ID: 49ad1adbb83ec69c89fd77178f9bb30261047d87660fa1cae36898a1d15c5274
Opcode Fuzzy Hash: 959b456e8a22be6a5b0903782329af9a84473569178788a0c59be25aa0c6c2c3
Instruction Fuzzy Hash: 9D71AE72A18B8186EB14EF25E8443ADB3A4FB58BD8F444235DBAD47BA9DF79D051C300

Function 00007FF646DBE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBE237

Strings

gfff, xrefs: 00007FF646DBE362
e+000, xrefs: 00007FF646DBE2DF

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: 1a585ebd62c3aaeb8077fcdbba1adebbba0222cfeea398f1b2d9fe9be172dfdd
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: E751E762B1C7C246E725AB359941769AB91AB81FD0F089331C69DCBBD9CE2ED444C700

Function 00007FF646D99408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D995A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646D995E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D9959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF646D995A2

Strings

SIZE, xrefs: 00007FF646D99443

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction ID: 3a1aa18861b4fd7b31b9383954db78c9116d5b452feb58624de36bc381888959
Opcode Fuzzy Hash: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction Fuzzy Hash: BB41D262A2C68286EE50FF24E4513BEA360EF85795F444331EA9D866DAEE3ED544C700

Function 00007FF646DBC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646DBC2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF646DB2CD5), ref: 00007FF646DBC30B

Strings

C:\Users\user\Desktop\Bzw4UJiXNj.exe, xrefs: 00007FF646DBC2F9

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Bzw4UJiXNj.exe
API String ID: 3307058713-3134782488
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 69dccee6c17b6bf493a75751437b14a35a0f26b3198057343ff4a8e529a868cc
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 6A417EB6A0CA568AEB15BF25E4401BCF794FF44B94B444236EA5E87B49DE3EE441C340

Function 00007FF646DA9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646D8255C: GetDlgItem.USER32 ref: 00007FF646D825AC
Part of subcall function 00007FF646D8255C: SetWindowTextW.USER32 ref: 00007FF646D825C8

EndDialog.USER32 ref: 00007FF646DA9C24
SetDlgItemTextW.USER32 ref: 00007FF646DA9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF646DA9B72

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: f0dceadf3d752cefa43c456a4aa636b7842370cfa9b7c94ead96106e5a66dd1b
Instruction ID: 486e842a63e4dc40996209aba8a95c9c5efc1acfd052862e003d7353c268ad4e
Opcode Fuzzy Hash: f0dceadf3d752cefa43c456a4aa636b7842370cfa9b7c94ead96106e5a66dd1b
Instruction Fuzzy Hash: 2441C622E1CA4281FB50BB52E8542B9E3A1EF95BC4F144235DE4D8B7A9CE3EE455C340

Function 00007FF646D99638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF646D996EA

Part of subcall function 00007FF646DA0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF646DA0F99

Strings

$%s, xrefs: 00007FF646D996D7
@%s, xrefs: 00007FF646D996CE

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 83c0cbaf7c6b32c677ba9b29a56c261177438b0653a5019ba553adedf21a9f16
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 0431E672B1CA46D5EA10FF66E4506E9A3A0FB44B88F441232DE0D5B799EE3EE509C740

Function 00007FF646DBEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF646DBEB76
GetFileType.KERNEL32 ref: 00007FF646DBEB8C

Strings

@, xrefs: 00007FF646DBEBB7

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: a715ed6ee414abb0c8c1691515d5972a190e442555817d2dc9cb4f10a48e1bcf
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: EA219622E0CB9241EB64BB25D490139A651EB45FB4F281335D66F8B7ECCE3ED881D345

Function 00007FF646DB4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF646DB1D3E), ref: 00007FF646DB40BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF646DB1D3E), ref: 00007FF646DB4102

Strings

csm, xrefs: 00007FF646DB40EF

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: f0583bca3097946038d0744568c5e0e851395f1f1164d25094ca06ba3cc7cfc2
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: A3113D3261CB8582EB20AB16E440269B7E5FB98B94F184231EF8D47758DF3DD555C700

Function 00007FF646D9EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF646D9E95F,?,?,?,00007FF646D9463A,?,?,?), ref: 00007FF646D9EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF646D9E95F,?,?,?,00007FF646D9463A,?,?,?), ref: 00007FF646D9EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF646D9EA78

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: 4e0ef05d589eaf86c317ee1f0fae80f5f9cad0143556b4ef9fd50526df8a60c0
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: E0E04F21E1DC4281F600BB35DC46878A6507FA1770F941330D13EC55F19F2EAA4AC300

Function 00007FF646D9A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646D9A447
FindResourceW.KERNEL32 ref: 00007FF646D9A45D

Strings

RTL, xrefs: 00007FF646D9A453

Memory Dump Source

Source File: 00000000.00000002.2163008136.00007FF646D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646D80000, based on PE: true

Associated: 00000000.00000002.2162996148.00007FF646D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163036733.00007FF646DC8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DDB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163053987.00007FF646DE4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2163078941.00007FF646DEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646d80000_Bzw4UJiXNj.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: 8e5222f6e841c558af9e74f95ff20aef6ab967ad4b61b207e50c7644c757fae2
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 6DD05E91F0D60A82FF197B76A449774A6905F1CB82F484138C85F8A394EE2ED088C750

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bzw4UJiXNj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RarSFX0\Icon-https.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.ico

C:\Users\user\AppData\Local\Temp\RarSFX0\microsoft_office_word_logo_icon_145724.png

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Bzw4UJiXNj.exePID: 3632, Parent PID: 4004

Windows Analysis Report
Bzw4UJiXNj.exe

Function 00007FF646DB0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Function 00007FF646D9A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Function 00007FF646DA8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101
memorywindowCOMMON

Function 00007FF646D940BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Function 00007FF646D9DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Function 00007FF646DB1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Function 00007FF646DAF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Function 00007FF646DAF0A4 Relevance: 16.6, APIs: 11, Instructions: 102
windowCOMMON

Function 00007FF646D924C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Function 00007FF646DAB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Function 00007FF646DAAE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Function 00007FF646DA91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Function 00007FF646D92CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Function 00007FF646DB03E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Function 00007FF646D93684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON