Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
Analysis ID:	1532531
MD5:	6e90c863f1166a43e590204d055ee08a
SHA1:	c02e42892470124601b5b1126b2c780bb0f2c502
SHA256:	54abe3ef576221e0d1341371378f36e9f63e3f5576069573910fcad5cf43b24f
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe" MD5: 6E90C863F1166A43E590204D055EE08A)

WerFault.exe (PID: 2656 cmdline: C:\Windows\system32\WerFault.exe -u -p 6576 -s 380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	ReversingLabs: Detection: 68%
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: 0_2_00007FF7B8599150 CryptStringToBinaryA,?_Random_device@std@@YAIXZ,_Query_perf_frequency,_Query_perf_counter,log,cos,sin,exp,pow,tan,memset,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,CryptStringToBinaryA,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,malloc,memcpy,getenv,_flushall,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,free,

0_2_00007FF7B8599150

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb,, source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: 0_2_00007FF7B85BA518 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

0_2_00007FF7B85BA518

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: 0_2_00007FF7B8597EC0 InternetOpenA,?_Random_device@std@@YAIXZ,_Query_perf_frequency,_Query_perf_counter,log,cos,sin,exp,pow,tan,memset,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,InternetOpenUrlA,InternetReadFile,memcpy,memset,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7B8597EC0

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85A4580	0_2_00007FF7B85A4580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85A0640	0_2_00007FF7B85A0640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85A36E0	0_2_00007FF7B85A36E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B8599150	0_2_00007FF7B8599150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85B5A00	0_2_00007FF7B85B5A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85A59E3	0_2_00007FF7B85A59E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85B9A20	0_2_00007FF7B85B9A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85943E0	0_2_00007FF7B85943E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85A73E3	0_2_00007FF7B85A73E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B859D3A0	0_2_00007FF7B859D3A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85934B0	0_2_00007FF7B85934B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85BA518	0_2_00007FF7B85BA518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B8594640	0_2_00007FF7B8594640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B8597EC0	0_2_00007FF7B8597EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85B3080	0_2_00007FF7B85B3080

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6576 -s 380

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6576

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\872a0ad2-417c-43c2-b1d6-3f71c6bd732b

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	ReversingLabs: Detection: 68%
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6576 -s 380

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb,, source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
Source:	Binary string: C:\Calc\Builds\922AVUSVRZEXKB\x64\Release\Loader.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

API coverage: 2.8 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

0_2_00007FF7B85BA518

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: 0_2_00007FF7B85BB480 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7B85BB480

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85BB2A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7B85BB2A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85BB480 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7B85BB480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	Code function: 0_2_00007FF7B85BB660 SetUnhandledExceptionFilter,	0_2_00007FF7B85BB660

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF7B85BA33C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Code function: 0_2_00007FF7B85BB6CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7B85BB6CC

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	68%	ReversingLabs	Win64.Trojan.Disco
SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe	63%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532531
Start date and time:	2024-10-13 15:26:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
Detection:	MAL
Classification:	mal52.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:27:29	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_5eddaabcaf5431d6a9e73f24f859e1829c34287e_8bd6df6a_fa43c35e-9b9c-45d3-8592-9ad6b35f7232\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8339947945742358
Encrypted:	false
SSDEEP:	96:jmF9srPh2sJhqQL7qFf1QXIDcQNc6JcEfcw3L+HbHg/rZHLnxZ1Vz3IdguEROyPV:SXsLh2XLo0TNlkjFdzuiFErZ24lO8X
MD5:	04734609A9DBC656A44C0E1D90308D94
SHA1:	011EC49124FC0F12DEFC8E37826A071901DF20AD
SHA-256:	21882E839C14A7267CE87693C45E538A01E8F9C07EBD6CB2B9B5ECE2F7856FC2
SHA-512:	168C6CD07A0FDD6833A7C4FE49F46B73E782FF3EDD3516D60932958AFB2D0B559E4A316EEC9F5836D3CFEC0A52B61602978FE8DD344EC70E7BAA79A7522BC8CF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.9.9.6.3.6.4.9.8.5.4.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.9.9.6.3.7.0.6.1.0.5.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.4.3.c.3.5.e.-.9.b.9.c.-.4.5.d.3.-.8.5.9.2.-.9.a.d.6.b.3.5.f.7.2.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.f.8.4.0.4.c.-.d.3.d.3.-.4.4.8.b.-.a.b.c.e.-.1.6.b.9.1.1.6.0.5.8.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...M.a.l.w.a.r.e.X.-.g.e.n...1.4.6.5.6...2.4.7.4.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.0.-.0.0.0.1.-.0.0.1.4.-.8.1.c.c.-.9.7.9.c.7.3.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.6.4.3.a.d.1.2.d.1.1.a.9.0.5.4.8.d.7.2.a.c.c.4.5.5.0.d.3.e.8.a.0.0.0.0.f.f.f.f.!.0.0.0.0.c.0.2.e.4.2.8.9.2.4.7.0.1.2.4.6.0.1.b.5.b.1.1.2.6.b.2.c.7.8.0.b.b.0.f.2.c.5.0.2.!.S.e.c.u.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3282.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Oct 13 13:27:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	85116
Entropy (8bit):	1.4408355579928152
Encrypted:	false
SSDEEP:	192:ridk4ZrBuHO/9yyT6IQMjspSa+IA/gC9yzT+wLt57/A239TL83Oqy:t4Zr/9/uIQMjK5pTRt539PSOF
MD5:	E7D2362E1FE9EAA0A99D9ADA9F88114C
SHA1:	AED17DA830F05AE6BA89D408B80D293457007BF9
SHA-256:	3C9E16F2247E65614B6BB0BFB2919617D4CC50B04BF8D70448DF90080BAAD3AF
SHA-512:	4E4C482DD7228F6314BBB5DE24F0F12BA4C36900B80230237665EDB104C11595BBB2FD3B58CEEE6B53D902E05CA834C7B81052E4E37CC1A25674724F5880DD18
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g....................................$...........$...(,..........`.......8...........T...........8...D=......................................................................................................eJ......L.......Lw......................T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER331F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8748
Entropy (8bit):	3.7038681675732414
Encrypted:	false
SSDEEP:	192:R6l7wVeJfIPltZ6Y9fcOOgmfcKpDM89bkM2hfWPKqm:R6lXJQPlb6YFLOgmfcOkMQftb
MD5:	F47CC0332F28BEAC41C9CCF91D25EB14
SHA1:	954EA88D7ADCFF26989EB7770A8E228F02737FD0
SHA-256:	60D1273BEBFF4A245379475A2402153FE47A0E0A6072536D7517892BD01BBA25
SHA-512:	A74A995808C764D1A8F30FAD0E386F0C1088DDFA9152E91B6EA00111738A66D8F31F582131B59BE20BFFD50689D77718E12F899ACA559E504610C1E4C49AA7D4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER334F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4896
Entropy (8bit):	4.562456261672848
Encrypted:	false
SSDEEP:	48:cvIwWl8zsEJg771I9/EWpW8VYBYm8M4J5nu8iF6yq85djLTQsd9D9Ad:uIjfCI7cd7VdJ7cPBAd
MD5:	95B809442E7B1D55822E833919290129
SHA1:	23F3A13093DD88326E703D5E586FBD37ADAC160D
SHA-256:	31A9D7FD56EF4204C395FCEDC5316174FF298FCE473FF517B076CE88898F43CE
SHA-512:	8B10D12B1235F51E097F6EB4557553C98D5980FCEB183D3C0FB43575F490BFB1F83CDAA9BFBE161C618690D52783FD9208115A65001E20BF7D0EEC3DAFC68694
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541709" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4658535950339875
Encrypted:	false
SSDEEP:	6144:WIXfpi67eLPU9skLmb0b4NWSPKaJG8nAgejZMMhA2gX4WABl0uNLdwBCswSb+:bXD94NWlLZMM6YFHF++
MD5:	1E9FF353F66966B5DE35E95ECE664488
SHA1:	BA3105475861B2AD2B75349A461AED21892A81C6
SHA-256:	08D9C780EA97A3F24568E4E74E599A1D4959D04E1A1FD7A6EBC7CE15AFB5CD8F
SHA-512:	8675FF62D8AC3F50EE2FDAE74C29890B4CC953137208E618510B7FDB3788031E3EE839FE5DD732366059B2500F7E2EA074034371CE7281BD2471B096B65D4127
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&Z..s...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.342628803287784
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
File size:	233'472 bytes
MD5:	6e90c863f1166a43e590204d055ee08a
SHA1:	c02e42892470124601b5b1126b2c780bb0f2c502
SHA256:	54abe3ef576221e0d1341371378f36e9f63e3f5576069573910fcad5cf43b24f
SHA512:	14a38a5b20b4972956349d4718b9a6ed8286c46c3758a28acc382b369b38dbc67f2d9019a95c26430e1d3c77088ad47af0ea96853e56eccb3fdafe36f289665c
SSDEEP:	3072:fQCyKBU+DkgSZxPOs82L7a3Mum6kJfADWPlA8lxPMvt6L1Hke0tjwKswX:fQCYtj9FAiNA8l2V6lkeCjwKs
TLSH:	DA34494F36650CDCD8ABE139CABB5202F2B3344E473582F7179004261F5BAD69F7AA52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...k.l.p....l..f....l..h....l..C....l..d...)...i...b...y...qk..c...qk..c...qk..c...Richb...................PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14002af48
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F2C558 [Tue Sep 24 13:57:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0e75f62fc1176f33ebe2f7928e1928fc

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F53212E5360h
dec eax
add esp, 28h
jmp 00007F53212E4A5Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F53212E4BF2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F53212E4BF5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F53212E4BEDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F53212E454Eh
int3
retn 0000h
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34fd4	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3c000	0x1848	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x234	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2fbc0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2fa80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e000	0x720	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c66f	0x2c800	f65ed4f38081c06d231bd9c912bfa599	False	0.3892314782303371	data	6.395670348363393	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2e000	0x9620	0x9800	ef7ab754b8ea96fd28239a90c62d59bb	False	0.388671875	data	5.188144945680934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x38000	0x3eb0	0xc00	9c7b279cb521d2aa33ec9968b1eb2c1f	False	0.21451822916666666	DOS executable (block device driver)	4.125390770865239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3c000	0x1848	0x1a00	7e269219c0d0f0c6d63d545230a01fa3	False	0.44771634615384615	PEX Binary Archive	5.273013078533793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x1e0	0x200	9f1a673dc4e7c166bd12756a73603a62	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3f000	0x234	0x400	0c352fdd52b0f08ef925b47981b4af39	False	0.4267578125	data	3.816491633047277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x3e060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CreateMutexA, WaitForSingleObject, ReleaseMutex, MultiByteToWideChar, Sleep, GetLastError, OpenMutexA, CloseHandle, GlobalMemoryStatusEx, CreateProcessA, GetExitCodeProcess, FormatMessageA, InitializeSListHead, GetSystemTimeAsFileTime, GetLocaleInfoEx, CreateFileW, FindClose, FindFirstFileW, GetTempPathW, GetFileAttributesExW, AreFileApisANSI, GetModuleHandleW, GetFileInformationByHandleEx, WideCharToMultiByte, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualAlloc, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, LocalFree
SHELL32.dll	SHGetFolderPathA
MSVCP140.dll	??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z, ?good@ios_base@std@@QEBA_NXZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z, ?tolower@?$ctype@D@std@@QEBADD@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ??1facet@locale@std@@MEAA@XZ, ??0facet@locale@std@@IEAA@_K@Z, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ??Bid@locale@std@@QEAA_KXZ, ?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ, ??1_Locinfo@std@@QEAA@XZ, ??0_Locinfo@std@@QEAA@PEBD@Z, ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, _Query_perf_counter, _Strcoll, ?_Syserror_map@std@@YAPEBDH@Z, ?id@?$collate@D@std@@2V0locale@2@A, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xlength_error@std@@YAXPEBD@Z, ?_Random_device@std@@YAIXZ, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Winerror_map@std@@YAHH@Z, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?_Xbad_alloc@std@@YAXXZ, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?uncaught_exceptions@std@@YAHXZ, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Query_perf_frequency, _Strxfrm, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
dxgi.dll	CreateDXGIFactory
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenA, InternetOpenUrlA
CRYPT32.dll	CryptStringToBinaryA
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	strchr, __std_terminate, __C_specific_handler, __std_exception_destroy, memcpy, memset, memcmp, _CxxThrowException, memchr, __current_exception, memmove, __std_exception_copy, __current_exception_context
api-ms-win-crt-stdio-l1-1-0.dll	_fseeki64, fwrite, fputc, _set_fmode, _get_stream_buffer_pointers, fread, __acrt_iob_func, fflush, fclose, fputwc, ungetwc, fsetpos, fgetc, __stdio_common_vfprintf, fgetwc, ungetc, setvbuf, fgetpos, __p__commode, _flushall
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, realloc, _set_new_mode, malloc, free
api-ms-win-crt-utility-l1-1-0.dll	srand, rand
api-ms-win-crt-filesystem-l1-1-0.dll	_stat64i32, _unlock_file, _lock_file, _mkdir
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv, _initialize_narrow_environment, terminate, abort, _initialize_onexit_table, _register_onexit_function, exit, _crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _get_narrow_winmain_command_line, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo_noreturn, _c_exit, _register_thread_local_exe_atexit_callback
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll	cos, log, exp, pow, sin, __setusermatherr, tan

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:27:12
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe"
Imagebase:	0x7ff7b8590000
File size:	233'472 bytes
MD5 hash:	6E90C863F1166A43E590204D055EE08A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:27:16
Start date:	13/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6576 -s 380
Imagebase:	0x7ff6971f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0.1%
Signature Coverage:	48.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF7B85A4580 Relevance: 165.6, APIs: 55, Strings: 36, Instructions: 6389memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF7B85A494A
VirtualAlloc.KERNELBASE ref: 00007FF7B85A4AF1
_Query_perf_frequency.MSVCP140 ref: 00007FF7B85A5054
_Query_perf_counter.MSVCP140 ref: 00007FF7B85A505D
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A534F
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A535B
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A5367
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A5378
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A53E1
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A5440
memset.VCRUNTIME140 ref: 00007FF7B85A5558
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85A4BF9

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Strings

h, xrefs: 00007FF7B85AA387
N, xrefs: 00007FF7B85AAA56
d, xrefs: 00007FF7B85AA45A
L, xrefs: 00007FF7B85AAA51
d, xrefs: 00007FF7B85A9B66
P, xrefs: 00007FF7B85AAA5B
, xrefs: 00007FF7B85AAF95
d, xrefs: 00007FF7B85A6FE4
50~jb, xrefs: 00007FF7B85A96C4
T, xrefs: 00007FF7B85AA3A0
L, xrefs: 00007FF7B85A9A76
., xrefs: 00007FF7B85AAA4C
P, xrefs: 00007FF7B85AA396
L, xrefs: 00007FF7B85AAF9A
d, xrefs: 00007FF7B85A7D90
d, xrefs: 00007FF7B85A90AC
:, xrefs: 00007FF7B85A9A71
d, xrefs: 00007FF7B85A65C8
d, xrefs: 00007FF7B85AA48C
L, xrefs: 00007FF7B85A9A8C
d)65R, xrefs: 00007FF7B85AAA3B
L, xrefs: 00007FF7B85AA38C
60~jb, xrefs: 00007FF7B85A8372
:, xrefs: 00007FF7B85A9A87
d, xrefs: 00007FF7B85A7D57
d, xrefs: 00007FF7B85A4C58
X, xrefs: 00007FF7B85AA3AA
R, xrefs: 00007FF7B85AA39B
N, xrefs: 00007FF7B85AA391
random, xrefs: 00007FF7B85A5479, 00007FF7B85A6E79, 00007FF7B85A8108, 00007FF7B85A9459, 00007FF7B85A9ED5, 00007FF7B85AA805
V, xrefs: 00007FF7B85AA3A5
d, xrefs: 00007FF7B85A90E1
d, xrefs: 00007FF7B85A9B34
d, xrefs: 00007FF7B85A55E4
\, xrefs: 00007FF7B85AAA72
L, xrefs: 00007FF7B85AAA77

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual$Concurrency::cancel_current_taskQuery_perf_counterQuery_perf_frequencyRandom_device@std@@_invalid_parameter_noinfo_noreturnmallocmemset
String ID: $.$50~jb$60~jb$:$:$L$L$L$L$L$L$N$N$P$P$R$T$V$X$\$d$d$d$d$d$d$d$d$d$d$d$d$d)65R$h$random
API String ID: 3798647520-2963567472
Opcode ID: 87ab6a15ddaa7428d1e95293d2efb970ea0ce3748a0253fc652b606824dc3296
Instruction ID: 49fd5770108a00a06b025a23e5b573e1555fa0fc021c6ab39a55c682e2941fd8
Opcode Fuzzy Hash: 87ab6a15ddaa7428d1e95293d2efb970ea0ce3748a0253fc652b606824dc3296
Instruction Fuzzy Hash: A4D3C92291DBC145E722AB38E4511E9E354FFF7784F40D322E78D66A5AEF38E1828714

Function 00007FF7B85A0640 Relevance: 67.2, APIs: 36, Strings: 1, Instructions: 2440COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF7B85A070F
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85A0718

Part of subcall function 00007FF7B8591670: _Query_perf_frequency.MSVCP140 ref: 00007FF7B859167D
Part of subcall function 00007FF7B8591670: _Query_perf_counter.MSVCP140 ref: 00007FF7B8591686

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A0A2E
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A0F9E
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A0FC6
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A0A56

Part of subcall function 00007FF7B85AE450: memset.VCRUNTIME140 ref: 00007FF7B85AE490

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85A0C97
memchr.VCRUNTIME140 ref: 00007FF7B85A1677
memcmp.VCRUNTIME140 ref: 00007FF7B85A169B
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85A17A1
memchr.VCRUNTIME140 ref: 00007FF7B85A16B8

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85A18AF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85A18B6
_Query_perf_frequency.MSVCP140 ref: 00007FF7B85A1B86
_Query_perf_counter.MSVCP140 ref: 00007FF7B85A1B8F
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1E5B
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1E67
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1E73
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1E84
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1EF4
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A1F5C
memset.VCRUNTIME140 ref: 00007FF7B85A2063
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85A26B6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85A26BD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85A2747
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7B85A2779
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85A278E
_Query_perf_frequency.MSVCP140 ref: 00007FF7B85A2A72
_Query_perf_counter.MSVCP140 ref: 00007FF7B85A2A7B
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A2D3B
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A2D47
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A2D53
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A2D64
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85A2DD4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85A36D6

Strings

random, xrefs: 00007FF7B85A0A67, 00007FF7B85A0FD7, 00007FF7B85A1F92

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Random_device@std@@$Query_perf_counterQuery_perf_frequency$memchrmemset$Concurrency::cancel_current_taskCreateFactoryGlobalMemoryStatusmallocmemcmp
String ID: random
API String ID: 4003858199-373021397
Opcode ID: 92090a04ada771e9836e217aa0b1f2e93ae536986e940658b3567154b3932d68
Instruction ID: bfa88f1d9c3bc35e3567fe42b2b338b4db720c84d1d8a9195057f69f6f00a1e7
Opcode Fuzzy Hash: 92090a04ada771e9836e217aa0b1f2e93ae536986e940658b3567154b3932d68
Instruction Fuzzy Hash: 1F33D832A18A8685DB21EF38D8912FCE355FF66788F804231E74E5BA99DF38D546C314

Function 00007FF7B85A36E0 Relevance: 29.0, APIs: 14, Strings: 2, Instructions: 978COMMON

Download Yara Rule

APIs

?_Random_device@std@@YAIXZ.MSVCP140(00000000,0000006E00000006,?,00000000,-8000000000000000), ref: 00007FF7B85A3778

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

_Query_perf_frequency.MSVCP140(?,00000000,-8000000000000000), ref: 00007FF7B85A3A7D
_Query_perf_counter.MSVCP140(?,00000000,-8000000000000000), ref: 00007FF7B85A3A86
log.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3D4B
cos.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3D57
sin.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3D63
exp.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3D74
pow.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3DD3
tan.API-MS-WIN-CRT-MATH-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A3E2E

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

memset.VCRUNTIME140(?,00000000,-8000000000000000), ref: 00007FF7B85A3EFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A447C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A4483
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,-8000000000000000), ref: 00007FF7B85A44F3
SleepEx.KERNELBASE(?,00000000,-8000000000000000), ref: 00007FF7B85A4505

Strings

random, xrefs: 00007FF7B85A3E5B
d, xrefs: 00007FF7B85A37CE

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskQuery_perf_counterQuery_perf_frequencyRandom_device@std@@Sleepmallocmemset
String ID: d$random
API String ID: 2134775511-2911377361
Opcode ID: 16452cfd0e712f89d915d6daee8606c00af68d80423a3433fefb7e7978eeaddb
Instruction ID: a8e1eee5f7e4c6cc4c5eb8003b63fa1e4cdb6ebc072befef5d0319e3c31646ac
Opcode Fuzzy Hash: 16452cfd0e712f89d915d6daee8606c00af68d80423a3433fefb7e7978eeaddb
Instruction Fuzzy Hash: 95821632A0CA4146EB11AF7894511BDE352FFA6794F908336E74E6BB99DF3CE4428314

Function 00007FF7B8591610 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8591634
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B8591655

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 57a41865e2a522d0e959f9447d4094606fd6f742e51a43451859619ab895bbc7
Instruction ID: e2e710d5e2b184ac55f8557ec64af908a7ca5ba354e24c5dcc7b5b196cd2ad0f
Opcode Fuzzy Hash: 57a41865e2a522d0e959f9447d4094606fd6f742e51a43451859619ab895bbc7
Instruction Fuzzy Hash: FEE01532A08B8182D7009F54F80445AE3A4FBA97C4F944135EB8947B28CF7CD1A6CB54

Function 000001622CB00000 Relevance: .0, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1964028359.000001622CB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001622CB00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1622cb00000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a76d596100e906e42a18baf41ccc164cf4d2382328c9a176804d46515399a0
Instruction ID: 4ee9a1f44c7989a12476001a8ba19eb08aae74b9bfeae4ea2fa4c4b261d6df11
Opcode Fuzzy Hash: d9a76d596100e906e42a18baf41ccc164cf4d2382328c9a176804d46515399a0
Instruction Fuzzy Hash: 70E0E230218A0E9FDB84EF5CD484B65FBE0FBAC310F50066AA058D3264DB709990CB42

Non-executed Functions

Function 00007FF7B8599150 Relevance: 52.1, APIs: 28, Strings: 1, Instructions: 1326encryptionprocesssynchronizationCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32 ref: 00007FF7B859924E
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B8599271

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

_Query_perf_frequency.MSVCP140 ref: 00007FF7B8599552
_Query_perf_counter.MSVCP140 ref: 00007FF7B859955B
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859981B
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8599827
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8599833
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8599844
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85998A3
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85998FE

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

memset.VCRUNTIME140 ref: 00007FF7B85999C8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8599F4C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8599F53
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8599FC7
memset.VCRUNTIME140 ref: 00007FF7B859A03B
CryptStringToBinaryA.CRYPT32 ref: 00007FF7B859A073
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B859A0BE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B859A16F

Part of subcall function 00007FF7B85BA968: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85BA998
Part of subcall function 00007FF7B85BA968: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85BA99E

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B859A20B
memcpy.VCRUNTIME140 ref: 00007FF7B859A228
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF7B859A471
_flushall.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B859A47A
CreateProcessA.KERNEL32 ref: 00007FF7B859A4B6
WaitForSingleObject.KERNEL32 ref: 00007FF7B859A4DA
GetExitCodeProcess.KERNEL32 ref: 00007FF7B859A4EA
CloseHandle.KERNEL32 ref: 00007FF7B859A4F5
CloseHandle.KERNEL32 ref: 00007FF7B859A500
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B859A509

Strings

random, xrefs: 00007FF7B859992B

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$BinaryCloseCryptHandleProcessStringmallocmemset$CodeCreateExitObjectQuery_perf_counterQuery_perf_frequencyRandom_device@std@@SingleWait_flushallfreegetenvmemcpy
String ID: random
API String ID: 2415399023-373021397
Opcode ID: 1d0c04de029e4bd8b1f367337c9b71c5695b1fd0bf1e3a21c8ef9e7edb2f254d
Instruction ID: 8a15c927376dabd98aa20d5ae79dbf77df42b4953af6059fed42c6ec3d029b96
Opcode Fuzzy Hash: 1d0c04de029e4bd8b1f367337c9b71c5695b1fd0bf1e3a21c8ef9e7edb2f254d
Instruction Fuzzy Hash: D0C20532E0CA4186E7119F7898511BDE365BFA6794F948336EB4E23B99DF38E4428314

Function 00007FF7B859D3A0 Relevance: 46.6, APIs: 22, Strings: 3, Instructions: 2846memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7B859D4BA
MultiByteToWideChar.KERNEL32 ref: 00007FF7B859D500
VirtualAlloc.KERNEL32 ref: 00007FF7B859D8AD
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B859D9AE
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859DCBE
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859DCE6
VirtualAlloc.KERNEL32 ref: 00007FF7B859DF9D
VirtualAlloc.KERNEL32 ref: 00007FF7B859E64D
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B859E767
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859EA5E
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859EA86
VirtualAlloc.KERNEL32 ref: 00007FF7B859ED3C
VirtualAlloc.KERNEL32 ref: 00007FF7B859F110
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B859F20E
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859F4FE
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859F526
VirtualAlloc.KERNEL32 ref: 00007FF7B859F7DC
VirtualAlloc.KERNEL32 ref: 00007FF7B859FB6C
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B859FC7A
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859FF6E
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859FF96
VirtualAlloc.KERNEL32 ref: 00007FF7B85A04AD

Strings

d, xrefs: 00007FF7B859FCC7
d, xrefs: 00007FF7B859D9FF
random, xrefs: 00007FF7B859DCF7, 00007FF7B859EA97, 00007FF7B859F537, 00007FF7B859FFA7

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual$Random_device@std@@$ByteCharMultiWide
String ID: d$d$random
API String ID: 1209970496-741463915
Opcode ID: 269b3f85e0548a18497a7961a42e876e4d0bc95ee96558bb2f9fe0aadf852576
Instruction ID: 6338101fb558b0c42e0c35c3d12ffbca0586cdc513263bfbd210f763e657b572
Opcode Fuzzy Hash: 269b3f85e0548a18497a7961a42e876e4d0bc95ee96558bb2f9fe0aadf852576
Instruction Fuzzy Hash: 5C53A922D1CBC586E7129F38D8511E9E760FFB6784F809322E74D66A5AEF34E186C314

Function 00007FF7B8597EC0 Relevance: 45.0, APIs: 23, Strings: 2, Instructions: 1244networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FF7B85981C4
?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85981CE
_Query_perf_frequency.MSVCP140 ref: 00007FF7B85984B4
_Query_perf_counter.MSVCP140 ref: 00007FF7B85984BD

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859876B
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8598777
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8598783
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8598794
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85987F3
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859884E
memset.VCRUNTIME140 ref: 00007FF7B8598918
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8598E9A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8598EA1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8598F13
InternetOpenUrlA.WININET ref: 00007FF7B8598F74
InternetReadFile.WININET ref: 00007FF7B8598FA1
memcpy.VCRUNTIME140 ref: 00007FF7B8598FDF
memset.VCRUNTIME140 ref: 00007FF7B859900A
InternetCloseHandle.WININET ref: 00007FF7B859901C
InternetCloseHandle.WININET ref: 00007FF7B8599025
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8599075
InternetCloseHandle.WININET ref: 00007FF7B859907F

Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B114E
Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B115C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8599140

Strings

random, xrefs: 00007FF7B859887B
orn`, xrefs: 00007FF7B8597FA6

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Internet_invalid_parameter_noinfo_noreturn$CloseHandlememcpy$Openmemset$Concurrency::cancel_current_taskFileQuery_perf_counterQuery_perf_frequencyRandom_device@std@@Read
String ID: orn`$random
API String ID: 2635940824-2186681027
Opcode ID: e7303d7da917fb2e0ea9ee27e387a3a4fa5e2fce180ec751a63186f277889139
Instruction ID: 732e4e411aac7f5c0e97ada9730430ce8846e8eccaa72d89876f2cafc3e2d17e
Opcode Fuzzy Hash: e7303d7da917fb2e0ea9ee27e387a3a4fa5e2fce180ec751a63186f277889139
Instruction Fuzzy Hash: B2B2F522B1CA4146EB01AF38D4111BDE365BFB6784F949336EB4E67B99DF38E4428314

Function 00007FF7B8594640 Relevance: 40.1, APIs: 20, Strings: 1, Instructions: 3384COMMON

Download Yara Rule

APIs

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B8596DF6

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

_Query_perf_frequency.MSVCP140 ref: 00007FF7B859713C
_Query_perf_counter.MSVCP140 ref: 00007FF7B8597145
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859741E
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859742A
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8597436
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8597447
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B85974B0
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B859750E
memset.VCRUNTIME140 ref: 00007FF7B8597613
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8597C1B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8597C22
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8597CA6
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7B8597CB7
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7B8597CBF
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7B8597CD7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8597D72
_stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7B8597DA6
_mkdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7B8597DCE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8597E25

Strings

random, xrefs: 00007FF7B8597544

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskQuery_perf_counterQuery_perf_frequencyRandom_device@std@@_mkdir_stat64i32_time64memsetrandsrand
String ID: random
API String ID: 257508751-373021397
Opcode ID: 4b06b1fe7fba131225baf6bf73cdb2becfef04b9ca1b6505e141a25009f2691c
Instruction ID: 62c21d706a1f9670562225ef3de24b30cf7656bde1ab32b688d925b3f88beabb
Opcode Fuzzy Hash: 4b06b1fe7fba131225baf6bf73cdb2becfef04b9ca1b6505e141a25009f2691c
Instruction Fuzzy Hash: 7E530A36D19BC14AE7239B39A8111E4E754AFB73C4F50D323FA5C76E56EF25A1838208

Function 00007FF7B85BA518 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF7B85BA5C5
GetLastError.KERNEL32 ref: 00007FF7B85BA5CF
FindFirstFileW.KERNEL32 ref: 00007FF7B85BA5E6
GetLastError.KERNEL32 ref: 00007FF7B85BA5F2
FindClose.KERNEL32 ref: 00007FF7B85BA600
__std_fs_open_handle.LIBCPMT ref: 00007FF7B85BA693
CloseHandle.KERNEL32 ref: 00007FF7B85BA6A9
CloseHandle.KERNEL32 ref: 00007FF7B85BA826
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BA830

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: 44e7e6355c3c3b4b5313ce6daddb476d4210d714f126fdf26df65ff8189d85fc
Instruction ID: e28a5131d78daef7290056cd502bf1de29348d053dd3268a5011e2d6da352024
Opcode Fuzzy Hash: 44e7e6355c3c3b4b5313ce6daddb476d4210d714f126fdf26df65ff8189d85fc
Instruction Fuzzy Hash: 9D91A831A0DA4242E765AF1DA404679E2A0AF76774F980730FB6E477D8DE3CE4478724

Function 00007FF7B85934B0 Relevance: 25.5, APIs: 13, Strings: 1, Instructions: 1022COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B85AE060: ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z.MSVCP140 ref: 00007FF7B85AE080
Part of subcall function 00007FF7B85AE060: ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z.MSVCP140 ref: 00007FF7B85AE0D6
Part of subcall function 00007FF7B85AE060: ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z.MSVCP140 ref: 00007FF7B85AE0F2
Part of subcall function 00007FF7B85AE060: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85AE102
Part of subcall function 00007FF7B85AE060: ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z.MSVCP140 ref: 00007FF7B85AE111
Part of subcall function 00007FF7B85AE060: ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z.MSVCP140 ref: 00007FF7B85AE125

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF7B85935A8

Part of subcall function 00007FF7B85B2150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B2358
Part of subcall function 00007FF7B85B2150: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B2365

_Query_perf_frequency.MSVCP140 ref: 00007FF7B85938AB
_Query_perf_counter.MSVCP140 ref: 00007FF7B85938B4
log.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593B7B
cos.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593B87
sin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593B93
exp.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593BA4
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593C03
tan.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7B8593C5E

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

memset.VCRUNTIME140 ref: 00007FF7B8593D28
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B859429A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85942A1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8594319

Strings

random, xrefs: 00007FF7B8593C8B

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Locimp@locale@std@@$??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_Query_perf_counterQuery_perf_frequencyRandom_device@std@@V01@V123@V123@@Vfacet@23@_Yarn@mallocmemset
String ID: random
API String ID: 1122477867-373021397
Opcode ID: 0ec0e44b6cb64bfae8980dab31b6c5ea032862682337bbb87f8200897a804dee
Instruction ID: 79dc7000348390b0d9858113d79d37040f6310f58184f2b18a48be9b45e84163
Opcode Fuzzy Hash: 0ec0e44b6cb64bfae8980dab31b6c5ea032862682337bbb87f8200897a804dee
Instruction Fuzzy Hash: 91920432A0CA4186EB119F38D4111BDE361BFEA794F909336E74E67B99DF38E4428314

Function 00007FF7B85A59E3 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 485COMMON

Download Yara Rule

Strings

random, xrefs: 00007FF7B85A5479
d, xrefs: 00007FF7B85A55E4

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d$random
API String ID: 0-2911377361
Opcode ID: 49cc911175f5e0541264c47f7475ff60a416648821aaa9eb7b0ba933c28aea12
Instruction ID: 220e3c0499fa8345907a202d0735b7e593929b96d5eb4e30dbc0ec7b80005c9f
Opcode Fuzzy Hash: 49cc911175f5e0541264c47f7475ff60a416648821aaa9eb7b0ba933c28aea12
Instruction Fuzzy Hash: 4E22FC22E1C6C145E7219B7890517B9E351FFB7390F908336E78A67B8ADF38D4428B14

Function 00007FF7B85A73E3 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 484COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF7B85A6FE4
random, xrefs: 00007FF7B85A6E79

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d$random
API String ID: 0-2911377361
Opcode ID: 6dbbad9deedadab13af357d3875e2cd51114ef503c27700929a8e952d94335ff
Instruction ID: 084964f2d98c1cf837676750b9dc3b5a4eebeae1d4f6a53a1c5bcd71055b1fad
Opcode Fuzzy Hash: 6dbbad9deedadab13af357d3875e2cd51114ef503c27700929a8e952d94335ff
Instruction Fuzzy Hash: 4722FB22A1CAC185D721AB38D0513B9E295FFB7390F509335E7DA67B8ADF38E4428714

Function 00007FF7B85BB480 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7B85BB49C
memset.VCRUNTIME140 ref: 00007FF7B85BB4C0
RtlCaptureContext.KERNEL32 ref: 00007FF7B85BB4C9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7B85BB4E3
RtlVirtualUnwind.KERNEL32 ref: 00007FF7B85BB524
memset.VCRUNTIME140 ref: 00007FF7B85BB557
IsDebuggerPresent.KERNEL32 ref: 00007FF7B85BB578
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7B85BB595
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7B85BB5A0

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 19b8450d50022a509fbeeb78ade14be2cd2f4d19ae30be10dbf0b2131a84a497
Instruction ID: b5c6af87762148c8d43bff0bf2e4c290c02dffa7fc3d5f9af756c483ac1f04ae
Opcode Fuzzy Hash: 19b8450d50022a509fbeeb78ade14be2cd2f4d19ae30be10dbf0b2131a84a497
Instruction Fuzzy Hash: 6F31A372608B8185EB609F65E8403EDB364FBA5344F84403AEB8E43B98EF7CC149C724

Function 00007FF7B85943E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32 ref: 00007FF7B8594438
memset.VCRUNTIME140 ref: 00007FF7B85944ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85945C6

Strings

Failed to get AppData path., xrefs: 00007FF7B85945F6
\, xrefs: 00007FF7B8594494
L, xrefs: 00007FF7B8594499

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: FolderPath_invalid_parameter_noinfo_noreturnmemset
String ID: Failed to get AppData path.$L$\
API String ID: 1486729589-1473829883
Opcode ID: 48d7c37734061eddc4afed10d7cae08c14a93a7514c1b379dfaca0f549b88086
Instruction ID: 1355b99d7661323541aa10d5c6a789105ae31b53b185686ca249acf6d0c82d61
Opcode Fuzzy Hash: 48d7c37734061eddc4afed10d7cae08c14a93a7514c1b379dfaca0f549b88086
Instruction Fuzzy Hash: 2051E922A1CBC185E7509B29E4403AAE761FF663A4F905331FBAD02AD9DF3CE585C714

Function 00007FF7B85BB6CC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7B85BB6F8
GetCurrentThreadId.KERNEL32 ref: 00007FF7B85BB706
GetCurrentProcessId.KERNEL32 ref: 00007FF7B85BB712
QueryPerformanceCounter.KERNEL32 ref: 00007FF7B85BB722

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 25896374efde6f4be44b9769546b532beb04d45f9bf927e805304f4314b9ef4c
Instruction ID: 9e770e77bc6f82ee776d50fb76ece05922c342abaab4f4e0b14cfeb093e2f99c
Opcode Fuzzy Hash: 25896374efde6f4be44b9769546b532beb04d45f9bf927e805304f4314b9ef4c
Instruction Fuzzy Hash: E1112132B18F018AEB40DF64E8542B8B3A4FB69758F440E31EB5D467A8DF7CD1958750

Function 00007FF7B85BA33C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF7B8591F45), ref: 00007FF7B85BA362
FormatMessageA.KERNEL32 ref: 00007FF7B85BA395

Strings

!x-sys-default-locale, xrefs: 00007FF7B85BA355

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 80a4920f6669cba734518a6d54b8e5416cb3d2bb96b06634253721d9f0ddd4a7
Instruction ID: 5c5895639a5fec5cf3645aca3beaf60e8c7fac46ce701392adce5912f014f09b
Opcode Fuzzy Hash: 80a4920f6669cba734518a6d54b8e5416cb3d2bb96b06634253721d9f0ddd4a7
Instruction Fuzzy Hash: 3701A172A0C78182F7129F16B40476AE6A1FFB6784F988035EB4A06B9CCF3CD5468714

Function 00007FF7B85B9A20 Relevance: 1.6, APIs: 1, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de8fce81377e9415410f09b23be406b82806a22b0efd7ee3483ee5ff1d55997
Instruction ID: 65fb329b46af92cb7414a42c41cc408c664081e12c0a0b5ff1d1914954befc33
Opcode Fuzzy Hash: 4de8fce81377e9415410f09b23be406b82806a22b0efd7ee3483ee5ff1d55997
Instruction Fuzzy Hash: F9C1E173B2969587EB16CF16D944569F762FBE5BD0B85C130EB4A07B88DA3CD802C704

Function 00007FF7B85B5A00 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19177203c5f7e3e4428810e341f70abb33e4e6660a6a30719f5034a848a6654c
Instruction ID: 31e24990ca22fea1e371f589b79ddc0ecb2947c402209cd75dfb987220c7a2f7
Opcode Fuzzy Hash: 19177203c5f7e3e4428810e341f70abb33e4e6660a6a30719f5034a848a6654c
Instruction Fuzzy Hash: 9A61C422B18B8982DB149F1DE0452A9E361FB7A7D4F949231EB9D57B88EF7CD181C340

Function 00007FF7B85B3080 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: a2130766cf03e10fada51f078a0beaecbced90352182c0f258218e3772515adb
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: 35419433B1554487E78CCE2EC8126AD73A6F7A9304F95C23DEB0AC7385DA359906C744

Function 00007FF7B85BB660 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711dc0a1ce752c5b92a8b1a128afaf0d364a680493ec4af0cfb4a8513c4d417a
Instruction ID: 12f81120ca61e33c34863f88f9f720d5b688e0a1624fdea41526af3fc1f54d2f
Opcode Fuzzy Hash: 711dc0a1ce752c5b92a8b1a128afaf0d364a680493ec4af0cfb4a8513c4d417a
Instruction Fuzzy Hash: 35A0012190CC1AD4E744AF19A950170E220BF72300BD40431E64E422A8AE6CA95282A9

Function 00007FF7B85AF1A0 Relevance: 16.6, APIs: 11, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7B85AF1DD
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7B85AF1FC
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7B85AF22E
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF249
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF7B85AF273
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF290
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B85AF2B7
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7B85AF302

Part of subcall function 00007FF7B85B0940: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85B096D
Part of subcall function 00007FF7B85B0940: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85B0987
Part of subcall function 00007FF7B85B0940: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85B09B9
Part of subcall function 00007FF7B85B0940: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7B85B09E4
Part of subcall function 00007FF7B85B0940: std::_Facet_Register.LIBCPMT ref: 00007FF7B85B09FD
Part of subcall function 00007FF7B85B0940: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B0A1C

?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z.MSVCP140 ref: 00007FF7B85AF317
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF32E
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7B85AF370

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@U?$char_traits@_W@std@@@std@@$Init@?$basic_streambuf@_$Lockit@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??0_??1_?getloc@?$basic_streambuf@_?setstate@?$basic_ios@?tolower@?$ctype@Bid@locale@std@@D@std@@D@std@@@1@_Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@V?$basic_streambuf@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 83113347-0
Opcode ID: 23c5f14d9d2920ffdb8e200f91ecf5db91b09fde0a9e379cc2496c2f3c31cd4e
Instruction ID: c48bb4aa967e8ea3165ae0ae0ad2b4464d4c18215bf39f602ece877223ae35b0
Opcode Fuzzy Hash: 23c5f14d9d2920ffdb8e200f91ecf5db91b09fde0a9e379cc2496c2f3c31cd4e
Instruction Fuzzy Hash: E5512A36609B8186EB50DF29E850269B7A4FB9AF88F984035EB8E03718DF3CD056C754

Function 00007FF7B85B1840 Relevance: 15.1, APIs: 10, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85B187A
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85B188F
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85B18C1
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B19D8

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Part of subcall function 00007FF7B8592150: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7B85B190D), ref: 00007FF7B8592282

??0_Locinfo@std@@QEAA@PEBD@Z.MSVCP140 ref: 00007FF7B85B1928
??0facet@locale@std@@IEAA@_K@Z.MSVCP140 ref: 00007FF7B85B193E
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ.MSVCP140 ref: 00007FF7B85B1957
??1_Locinfo@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B1969
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B19A4
std::_Facet_Register.LIBCPMT ref: 00007FF7B85B19BB

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Locinfo@std@@$??0_??1_Lockit@std@@_invalid_parameter_noinfo_noreturn$??0facet@locale@std@@Bid@locale@std@@Collvec@@Facet_Getcoll@_Getgloballocale@locale@std@@Locimp@12@Registermallocstd::_
String ID:
API String ID: 1534690320-0
Opcode ID: 4225040be45d06bef3bda788dd2bc80e15e155bf0cb59504f001446e5fd6516f
Instruction ID: 95211c681dc402309c432150d62a5d7874590860d986d29f3198e10071835498
Opcode Fuzzy Hash: 4225040be45d06bef3bda788dd2bc80e15e155bf0cb59504f001446e5fd6516f
Instruction Fuzzy Hash: 2B413022A0DA8181EB55AF19E544369E361FFBABD0F844232EB5E03769DF3CD486C714

Function 00007FF7B85AF5D0 Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7B85AF5FE
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140 ref: 00007FF7B85AF61D
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7B85AF64F
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF66A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7B85AF694
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF6B1
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7B85AF6D5

Part of subcall function 00007FF7B85B0110: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85B013D
Part of subcall function 00007FF7B85B0110: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85B0157
Part of subcall function 00007FF7B85B0110: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85B0189
Part of subcall function 00007FF7B85B0110: ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7B85B01B4
Part of subcall function 00007FF7B85B0110: std::_Facet_Register.LIBCPMT ref: 00007FF7B85B01CD
Part of subcall function 00007FF7B85B0110: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B01EC

?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z.MSVCP140 ref: 00007FF7B85AF6EA
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7B85AF701
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7B85AF743

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$Init@?$basic_streambuf@_$Lockit@std@@$??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??0_??1_?getloc@?$basic_streambuf@_?setstate@?$basic_ios@?tolower@?$ctype@Bid@locale@std@@D@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@_Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@V?$basic_streambuf@_Vfacet@locale@2@Vlocale@2@W@std@@@1@_std::_
String ID:
API String ID: 2364978435-0
Opcode ID: 9c04b9d044b37bafc3c51e5e7a014765b17a55fa6c84eb2a6b0a163aa1681188
Instruction ID: 47aadda7fba8eeeb3dd509848e60712a17b066618141633829ad1448113825cb
Opcode Fuzzy Hash: 9c04b9d044b37bafc3c51e5e7a014765b17a55fa6c84eb2a6b0a163aa1681188
Instruction Fuzzy Hash: 8C415C36A09B4185EB04AF29E854369B7A4FF66F89F988034DB4E03728CF3CD05AC754

Function 00007FF7B85B0400 Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B047A
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7B85B049A
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B04AA
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7B85B04F7
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7B85B0521
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7B85B0546
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7B85B058D
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7B85B0594
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7B85B05A1

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@_U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1082411713-0
Opcode ID: 45054d7cc04613a0964733ee300a69212865a64964a28420a2abc5d095f187e7
Instruction ID: a0cf43cd2f5fe1f0fd1dd79623423630f467af5cbe5c3fe5fd223c50c9ec86ef
Opcode Fuzzy Hash: 45054d7cc04613a0964733ee300a69212865a64964a28420a2abc5d095f187e7
Instruction Fuzzy Hash: 79510F26609A4181EB609F1DE5D0239E7A0FFA6F95B55C531EF4E43BA8CE3DD4838324

Function 00007FF7B85B0890 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B1E65
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7B85B1E85
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B1E95
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7B85B1F70
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7B85B1F77
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7B85B1F84

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 929054647-0
Opcode ID: bb604f6eba23b001b1e28e65976775950ed75e85366b51f5158e4ac13b8c968f
Instruction ID: 39bb41e9768f9ca971f464ea60cebf04b9fa11334619c3a216bbbb669fb58f92
Opcode Fuzzy Hash: bb604f6eba23b001b1e28e65976775950ed75e85366b51f5158e4ac13b8c968f
Instruction Fuzzy Hash: 55510F32A0CA4181EB60AF1DD590638EBA0EFA6F95B558532EF4E47768CF39D4878314

Function 00007FF7B85B1C30 Relevance: 13.6, APIs: 9, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B1C9B
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7B85B1CBB
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7B85B1CCB
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7B85B1D18
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7B85B1D46
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7B85B1D67
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7B85B1DAE
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7B85B1DB5
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7B85B1DC2

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@_U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1082411713-0
Opcode ID: 0d5ec328a8f88ad9dde88304c696be7adf3c733013d7e46863af4980d22f23f1
Instruction ID: 75d89369cb79b1973639328f1a2b3fe6f1c9c3e48c67fb0397170da1f07c3e28
Opcode Fuzzy Hash: 0d5ec328a8f88ad9dde88304c696be7adf3c733013d7e46863af4980d22f23f1
Instruction Fuzzy Hash: 04510F3264CA8185EB609F1EE590239EBA0FFA6F85B558431EF4E47768CE3DD4478318

Function 00007FF7B85AF760 Relevance: 10.8, APIs: 7, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z.MSVCP140 ref: 00007FF7B85AF83A
memcpy.VCRUNTIME140 ref: 00007FF7B85AF8EE

Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B114E
Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B115C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85AFA89
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85AFAD4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85AFB24
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85AFB2B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85AFB31

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpy$Concurrency::cancel_current_task$?out@?$codecvt@Mbstatet@@Mbstatet@@@std@@
String ID:
API String ID: 862015687-0
Opcode ID: bd3986c8eac70713546aec029172baba793e63043bb13c5cd23aaf52f6ef5959
Instruction ID: 5001f1174580b9e645f0aa87b71d026e64e6fc7e807cad1db28650fb3805d210
Opcode Fuzzy Hash: bd3986c8eac70713546aec029172baba793e63043bb13c5cd23aaf52f6ef5959
Instruction Fuzzy Hash: 9FB1A462F0CB459AFB00EF69D4842ACA362EF66B98F844231DF5D17B99DE38D446C314

Function 00007FF7B8592AA0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF7B8592AFF

Part of subcall function 00007FF7B85BA3DC: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF7B8592B04), ref: 00007FF7B85BA3E0
Part of subcall function 00007FF7B85BA3DC: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7B8592B04), ref: 00007FF7B85BA3EF

memcpy.VCRUNTIME140 ref: 00007FF7B8592C40

Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B114E
Part of subcall function 00007FF7B85B1060: memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B115C

Part of subcall function 00007FF7B85B1540: memcpy.VCRUNTIME140 ref: 00007FF7B85B1622

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8592CC7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8592D15

Strings

: ", xrefs: 00007FF7B8592BB0
", ", xrefs: 00007FF7B8592BE2

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_page
String ID: ", "$: "
API String ID: 217746928-747220369
Opcode ID: 8af38dd4572e12346a7e861e0e5c0b37005e29a69315350ea585c524d2d42072
Instruction ID: f874b0f36fb3e4b7b8c7d555fddd2b2499c1200fb7aa784c677de0d6a48278c1
Opcode Fuzzy Hash: 8af38dd4572e12346a7e861e0e5c0b37005e29a69315350ea585c524d2d42072
Instruction Fuzzy Hash: 63817E62B08B4596EB00EF69E1803ACA376FB69B88F804531EF5D17B99DF38D056C354

Function 00007FF7B85ACB80 Relevance: 10.7, APIs: 7, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B85ACC37

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: bc5e876cd2a5ddaed97cc61b231dacbb275866b132a4b32473fa302d2f519a40
Instruction ID: 82585a7786a3c26e351a59b8ecbdb5e9cf7c8c2ced875c473e431a2e56bafd55
Opcode Fuzzy Hash: bc5e876cd2a5ddaed97cc61b231dacbb275866b132a4b32473fa302d2f519a40
Instruction Fuzzy Hash: 98819E22B18A8189EB109F69D0803BCB7B0FB69758F840532DF5E5BB98DF38D995C354

Function 00007FF7B85ABED0 Relevance: 10.7, APIs: 7, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7B85ABF82

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 16552ad37d9e7cabf55b3e3cc75e6a2ff078bb4e2370f03920dd24fe909c6b95
Instruction ID: c7e273c63541701e3531004e3232960a42c29d32f17f416cf7edfc1cb0411e1a
Opcode Fuzzy Hash: 16552ad37d9e7cabf55b3e3cc75e6a2ff078bb4e2370f03920dd24fe909c6b95
Instruction Fuzzy Hash: EE91A132B18A4189EB009F69D4803ACB7B0FB69768F940632DF5D57B98DF38D496C760

Function 00007FF7B85BADD4 Relevance: 10.6, APIs: 7, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7B85BADF8
__scrt_release_startup_lock.LIBCMT ref: 00007FF7B85BAE66
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BAEB4
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7B85BAEB9
_get_narrow_winmain_command_line.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BAEC1
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BAEEA
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BAF3F

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_get_show_window_mode__scrt_release_startup_lock_cexit_exit_get_narrow_winmain_command_line_register_thread_local_exe_atexit_callback
String ID:
API String ID: 3995423050-0
Opcode ID: 8cd200ff3fb6af25363896647357835655dc0060ded9db8e5413d661c60862be
Instruction ID: 87930cb00d7e8f201ed8215d2e02a3d2f6c90d883a4f2e8959bfae415f583357
Opcode Fuzzy Hash: 8cd200ff3fb6af25363896647357835655dc0060ded9db8e5413d661c60862be
Instruction Fuzzy Hash: 04313820A0E24256FB12BF6C95522B9E281AF73344FC40434F74D0B3DBDE6CA84A8279

Function 00007FF7B85B0940 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85B096D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85B0987
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85B09B9
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7B85B09E4
std::_Facet_Register.LIBCPMT ref: 00007FF7B85B09FD
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B0A1C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B0A47

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: ec5f6a21aabe5f9c8435868cf51c71f3e6cb25a39774f1962e251aade7b4fb19
Instruction ID: 303ebd283ea819e2e6da30c63ad7107741bb27940f4b3255e70d0981a93134a1
Opcode Fuzzy Hash: ec5f6a21aabe5f9c8435868cf51c71f3e6cb25a39774f1962e251aade7b4fb19
Instruction Fuzzy Hash: 66312F2660CB4585EB14AF19E480169E360FFB9B94F884631EB9E07769DF3CE492C724

Function 00007FF7B85AFB70 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85AFB9D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85AFBB7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85AFBE9
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7B85AFC14
std::_Facet_Register.LIBCPMT ref: 00007FF7B85AFC2D
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85AFC4C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85AFC77

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3790006010-0
Opcode ID: b69f92b5355667ebdc3ce19b389c52e9cfeac78d885bf03dc3f624fafab4667e
Instruction ID: f3b6c624be7437075cc867be5ccd9e2d4606fc0e0cc3e5a872103cce77e165e2
Opcode Fuzzy Hash: b69f92b5355667ebdc3ce19b389c52e9cfeac78d885bf03dc3f624fafab4667e
Instruction Fuzzy Hash: 4231822160CA4581EB14AF19E890169F760FFA9B94F880631EB8E0776CCF3CE482C724

Function 00007FF7B85B0110 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7B85B013D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85B0157
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7B85B0189
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7B85B01B4
std::_Facet_Register.LIBCPMT ref: 00007FF7B85B01CD
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7B85B01EC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B0217

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@_Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 929128910-0
Opcode ID: e0bdb12422ee04a853e0566a4f3154f032d1ba6b9776c41d7419da004f2b5f89
Instruction ID: d017fb268ac87b49b4bcb7cf3f67e9fca3a1b082f10fecdf39154b40cbd7d91f
Opcode Fuzzy Hash: e0bdb12422ee04a853e0566a4f3154f032d1ba6b9776c41d7419da004f2b5f89
Instruction Fuzzy Hash: 44312125A0CB4181EB14AF19E880169F360FFB9B94F884531EB9E07769DF3CE592C724

Function 00007FF7B85B0D40 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85B0E5B
memcpy.VCRUNTIME140 ref: 00007FF7B85B0E6B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B0EA9
memcpy.VCRUNTIME140 ref: 00007FF7B85B0EB3
memcpy.VCRUNTIME140 ref: 00007FF7B85B0EC3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B0EFC

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 0f7efee4358ba090960613f3f0ce7f840aec90c7a7dfc88def75aa78b168393a
Instruction ID: d0c418079d587997fa475edeff00b734c197de4a424215d6575b88d7e6efe0c3
Opcode Fuzzy Hash: 0f7efee4358ba090960613f3f0ce7f840aec90c7a7dfc88def75aa78b168393a
Instruction Fuzzy Hash: 0D41D262719B4195EB10AF19D4442ADE351EF66BE0F940231EB6D077D9DE3CE042C328

Function 00007FF7B85B7F00 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140 ref: 00007FF7B85B7F24
?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140 ref: 00007FF7B85B7F39
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B8012
?_Xbad_alloc@std@@YAXXZ.MSVCP140 ref: 00007FF7B85B801D
realloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B804C
?_Xbad_alloc@std@@YAXXZ.MSVCP140 ref: 00007FF7B85B8057

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: ?tolower@?$ctype@D@std@@Xbad_alloc@std@@realloc$malloc
String ID:
API String ID: 2093286772-0
Opcode ID: 9a06689949c14d7e461a2d91807c836f04e4942036bc0ee412a77415ea59dab1
Instruction ID: c6a4b1d4710be241c263295ff253b5f3f4decfceca56e4051cc1c9ecb103f80e
Opcode Fuzzy Hash: 9a06689949c14d7e461a2d91807c836f04e4942036bc0ee412a77415ea59dab1
Instruction Fuzzy Hash: 4241A432A08A85C7E7159F19E48016DF7A5EFA9B84B548135EB8E03758DF3CE892C324

Function 00007FF7B85B1060 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B114E
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B115C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B1195
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B119F
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF7B85AEA0B,?,?,?,?,?,00007FF7B8591B57), ref: 00007FF7B85B11AD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B11DF

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b3eafe77f23e340ab0fbbb27909d589890fe0f0ba594e75f2dca38e6e532e1e6
Instruction ID: a4350cac0cbfdfe5698047496d5e677ea4f5c5efb185f88ca36eb41667ab9392
Opcode Fuzzy Hash: b3eafe77f23e340ab0fbbb27909d589890fe0f0ba594e75f2dca38e6e532e1e6
Instruction Fuzzy Hash: 1441D262B0CA4581EF50AF1AA5043A9E351AF36BD4F944631EF6D0B78ADE7CD1439318

Function 00007FF7B85AE060 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z.MSVCP140 ref: 00007FF7B85AE080

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z.MSVCP140 ref: 00007FF7B85AE0D6
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z.MSVCP140 ref: 00007FF7B85AE0F2
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7B85AE102
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z.MSVCP140 ref: 00007FF7B85AE111
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z.MSVCP140 ref: 00007FF7B85AE125

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Locimp@locale@std@@$??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@D@std@@Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_V01@V123@V123@@Vfacet@23@_Yarn@malloc
String ID:
API String ID: 3292048638-0
Opcode ID: 0ab8c0a026c0748c62d6012465bef71c9a1080b2537e426b4505b28fce3cc969
Instruction ID: b107c59b159cd97f80f49f6fa0a1201b8db962de47f5562c80c36e5ed5da8ea5
Opcode Fuzzy Hash: 0ab8c0a026c0748c62d6012465bef71c9a1080b2537e426b4505b28fce3cc969
Instruction Fuzzy Hash: F6310F32609B4182DB249F6AE854269F765FBA9F80F548135DB8E03B64DF3CE095C354

Function 00007FF7B85BA100 Relevance: 7.7, APIs: 5, Instructions: 153COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85BA1D2

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z.MSVCP140 ref: 00007FF7B85BA1EC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BA2A3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BA2E1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85BA30B

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$?tolower@?$ctype@Concurrency::cancel_current_taskD@std@@mallocmemcpy
String ID:
API String ID: 4246367773-0
Opcode ID: 0800a9535dcabee4fbfd6a71af2e2be3c79c328b64d21b603466176b62e4baa0
Instruction ID: dae6aaf1c0db735e93daed028fe90b45d28dd01ef7d721e7d65de3c4af49166c
Opcode Fuzzy Hash: 0800a9535dcabee4fbfd6a71af2e2be3c79c328b64d21b603466176b62e4baa0
Instruction Fuzzy Hash: 9B519262F09A4544FB01AFA9D4443BCE361AF66BE4F504635EF6D16B9DDF3890C28214

Function 00007FF7B85BD42E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF7B85BD463
__current_exception_context.VCRUNTIME140 ref: 00007FF7B85BD477
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85BD47F

Strings

csm, xrefs: 00007FF7B85BD44F

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 4c1ebe9c889d1e24800d80439ee52151d95b01ed3f2a35e328354efeca4202be
Instruction ID: bc9ed6c5b92a0c1240d5394d2c2d6133515ea3d514d9760374481db26b601fd0
Opcode Fuzzy Hash: 4c1ebe9c889d1e24800d80439ee52151d95b01ed3f2a35e328354efeca4202be
Instruction Fuzzy Hash: 8AF04937909B40CAC710AF25E8800AC7364FB69B98F895130FB8D47719CF78D891C310

Function 00007FF7B85B4060 Relevance: 6.3, APIs: 4, Instructions: 313COMMON

Download Yara Rule

APIs

?tolower@?$ctype@D@std@@QEBADD@Z.MSVCP140 ref: 00007FF7B85B4122

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: ?tolower@?$ctype@D@std@@
String ID:
API String ID: 1228470278-0
Opcode ID: a97732988279250aba83674aeb871580588b052a58e109c53ee7bb5f94d641bd
Instruction ID: 8fafe1dddee27d0bb5be1183d99613bca894bf2e71daa21a6b8f5821f6dcf223
Opcode Fuzzy Hash: a97732988279250aba83674aeb871580588b052a58e109c53ee7bb5f94d641bd
Instruction Fuzzy Hash: 25C1D622A0C79585EB559F29C450379E7E1EFB6B84F848136EB4D0339ADF2DE492C324

Function 00007FF7B8592D50 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF7B8592E61
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8592E8D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B8592FBB
__std_exception_copy.VCRUNTIME140 ref: 00007FF7B8592FFD

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 6ec470a77b1fa5836db0abaf0a866b6d511d65f451efe17d2563e04f402c7661
Instruction ID: 02855f7222143874f736114ef499518b505e0ab79b1153aecf8fb67e8bd20057
Opcode Fuzzy Hash: 6ec470a77b1fa5836db0abaf0a866b6d511d65f451efe17d2563e04f402c7661
Instruction Fuzzy Hash: EB818F72A09A8691EB04EF2CD48436CA366EF65B88F948031E74D07B6DDF78D8D6C354

Function 00007FF7B85B1380 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B1483
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B14D6
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B14E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B152C

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 437ba9ca0ac64ea12b731dda772070f396b9acd10d8a206341a260d8a852dfd7
Instruction ID: 70578bc99182bb275a2200ed4934355a4bf36534b8effcfd0dcd098c406db004
Opcode Fuzzy Hash: 437ba9ca0ac64ea12b731dda772070f396b9acd10d8a206341a260d8a852dfd7
Instruction Fuzzy Hash: 5641E066B08A4191EB40EF19A10426DE291BF66BF4FD40731EB6D07BD9EE7CE046C318

Function 00007FF7B85AEAC0 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7B85928E6), ref: 00007FF7B85AEB92

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Part of subcall function 00007FF7B85918F0: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7B85B12E5,?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85918FB

memcpy.VCRUNTIME140(?,?,?,00007FF7B85928E6), ref: 00007FF7B85AEBB3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85AEBCF

Part of subcall function 00007FF7B8591850: __std_exception_copy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B85B12EB), ref: 00007FF7B8591894

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,00007FF7B85928E6), ref: 00007FF7B85AEC41

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: ??1?$basic_streambuf@Concurrency::cancel_current_taskD@std@@@std@@U?$char_traits@Xlength_error@std@@__std_exception_copy_invalid_parameter_noinfo_noreturnmallocmemcpy
String ID:
API String ID: 676814534-0
Opcode ID: c41ff4e6579c01bc50176846254f64b3af41fb1274ed5e0ef75fc1e8cbe97976
Instruction ID: 88839f09732908fc1fc1f2446809361fd2a186fcfd00d4366e3c1aef3230bbc9
Opcode Fuzzy Hash: c41ff4e6579c01bc50176846254f64b3af41fb1274ed5e0ef75fc1e8cbe97976
Instruction Fuzzy Hash: A641A122A0DB4681EB15AF2DE494368E390EF66F94F948131DB6D0B799DE3CD4D38314

Function 00007FF7B85B16B0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85B179C
memset.VCRUNTIME140 ref: 00007FF7B85B17A9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B17E2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B182D

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmemcpymemset
String ID:
API String ID: 268977704-0
Opcode ID: c37fed9d1c68c0c4a42d17a1c03663e9f90bc4b266fdd5148ccd75485bf01601
Instruction ID: 488d99e592529d33af7b666df9c85bb2de020dd2b1052ddd7393c90d6b0a1ccd
Opcode Fuzzy Hash: c37fed9d1c68c0c4a42d17a1c03663e9f90bc4b266fdd5148ccd75485bf01601
Instruction Fuzzy Hash: EC41E062B0D64181EB50AF1AA500369E395EF2ABD4F944231EF9D0B789DE7CE046C318

Function 00007FF7B85B8DE0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00007FF7B85B4527), ref: 00007FF7B85B8EBE
memcpy.VCRUNTIME140(00000000,00007FF7B85B4527), ref: 00007FF7B85B8EEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00007FF7B85B4527), ref: 00007FF7B85B8F55

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B8F62

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemset
String ID:
API String ID: 2942768764-0
Opcode ID: 33f3f51ee331ee450bf700c08a71ec352e37e0c2b781dab10ece0f125a60a3a4
Instruction ID: e9d03eb1b07183e39d1a2bd0a4cf53c60973a722a827daf394aa71db79764031
Opcode Fuzzy Hash: 33f3f51ee331ee450bf700c08a71ec352e37e0c2b781dab10ece0f125a60a3a4
Instruction Fuzzy Hash: 5841A262709A4585EB14AF29D0442BDE351EF6ABE0F948635EB6D077C8DF3CE056C314

Function 00007FF7B85B1540 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85B1622
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B1660
memcpy.VCRUNTIME140 ref: 00007FF7B85B166A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B169F

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: b418927a2593d1719bd1dc61b1ee6dad147d38ec92ef0896e4b909110860578a
Instruction ID: 7f3ecb059630a52481f721f0d4ef23a31e42f9f5e5f35f5fc77133613dde4f89
Opcode Fuzzy Hash: b418927a2593d1719bd1dc61b1ee6dad147d38ec92ef0896e4b909110860578a
Instruction Fuzzy Hash: F231D421B4D78145EB51AF19A544368E255AF36BD4FD80235EF6D0BBC9DE7CE0428318

Function 00007FF7B85B76A0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7B85B7774
memcpy.VCRUNTIME140 ref: 00007FF7B85B7786
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B77F1

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B77FE

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemcpymemset
String ID:
API String ID: 2942768764-0
Opcode ID: bd08c812783b9a6ecf854335eb26d5a4ec54ec3837699574ebcca09e820636e9
Instruction ID: 46c0b9bd377077491e3ad044c6c9c4083c6c4cafdb477dcbff5940a8ec2d4eef
Opcode Fuzzy Hash: bd08c812783b9a6ecf854335eb26d5a4ec54ec3837699574ebcca09e820636e9
Instruction Fuzzy Hash: CA31D36270EA8686EB04EF2995042BCE215EF26BE0F944631EB6D177C9CE6CE047C314

Function 00007FF7B85AC310 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b2574775618b2a953b1da56e956ad3f1442988d985bf29964b0fb6b73cd5bc
Instruction ID: 6c5b4b3db9248bdb051d03c28df6f284dd445f602f983c38ee2c255308a5efa9
Opcode Fuzzy Hash: 80b2574775618b2a953b1da56e956ad3f1442988d985bf29964b0fb6b73cd5bc
Instruction Fuzzy Hash: C451703660CA8185DB109F28E49036DF3A5FB96B94F944136EB9D8B7A8DF3CC849C714

Function 00007FF7B85B0A50 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85B0B4F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B0B92
memcpy.VCRUNTIME140 ref: 00007FF7B85B0B9C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B0BD7

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: a4b0fc4bd338293d66df060b2d692fb83dcad7e6df9281e22de21d85f6d2ebbf
Instruction ID: 23763e749fb2ab6d1ce982ee88691446e02d19ddd5cc03f3e7fa44fed105ff69
Opcode Fuzzy Hash: a4b0fc4bd338293d66df060b2d692fb83dcad7e6df9281e22de21d85f6d2ebbf
Instruction Fuzzy Hash: 2841E121B0C64581EA10AF19A58416DE361FF26BF4F944734EB6C07BD9DE7CE052C328

Function 00007FF7B85B0F10 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF7B8592BA1), ref: 00007FF7B85B0FEC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000004,?,00007FF7B8592BA1), ref: 00007FF7B85B1020
memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF7B8592BA1), ref: 00007FF7B85B102A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B1053

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: c5d15f9dc8bb5760c0dcedafd9a0af3ba7b9201a5fe4c0a06c58c15f9e8c5fb9
Instruction ID: 9ccd083f7dc34901a5248f56c3fe16e0617dc453ee390fc20c8037cd895d5c6f
Opcode Fuzzy Hash: c5d15f9dc8bb5760c0dcedafd9a0af3ba7b9201a5fe4c0a06c58c15f9e8c5fb9
Instruction Fuzzy Hash: 1931A061B1D78585EF10AF19A5443A8E252BF36BE0F944631EB6D0B7DDDE7CE0428328

Function 00007FF7B85AE780 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF7B85AE7EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85AE870
memcpy.VCRUNTIME140 ref: 00007FF7B85AE896
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85AE8BA

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: eeaddc8ae32b8eab1d560ada36b05638e19ae3ed09364c8144a7a82f262ba4ac
Instruction ID: ad312d2e5d11fe0a0145df2761e8327158720501e91a634dedb8da6ed80230e5
Opcode Fuzzy Hash: eeaddc8ae32b8eab1d560ada36b05638e19ae3ed09364c8144a7a82f262ba4ac
Instruction Fuzzy Hash: 8531B622A0DB4241EB14AB199550278E291EF26BB0FD44B34DB7D0B7D5DE7CE4D38358

Function 00007FF7B85B1B10 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7B85B1BD6
memcpy.VCRUNTIME140 ref: 00007FF7B85B1BF9
memcpy.VCRUNTIME140 ref: 00007FF7B85B1C08
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B1C29

Part of subcall function 00007FF7B85BA968: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7B85B18F5), ref: 00007FF7B85BA982

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 97c1cec92591c65101fb74efce355569a34a653934d8d81529aab32ce95c0102
Instruction ID: 8c6b837f10bc10eb56a0d091bc2497f1265fc0c0a1669166a3015132b6e63195
Opcode Fuzzy Hash: 97c1cec92591c65101fb74efce355569a34a653934d8d81529aab32ce95c0102
Instruction Fuzzy Hash: 11313A22B0CB4540EB24AF56A500369E255BF76BE4F840635EF6C077C9EE3CE082C314

Function 00007FF7B85B11F0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B1228
memcpy.VCRUNTIME140(?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B12C8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7B85B12E6

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: 2b3e32f679f3411a96c2b169fd33d6b045a9eec51f056b825c757273bb5d81ba
Instruction ID: ed50506c02d2a40e96bf5b831ce4477a65331ed61a12d19b239ec2fd6087b9b8
Opcode Fuzzy Hash: 2b3e32f679f3411a96c2b169fd33d6b045a9eec51f056b825c757273bb5d81ba
Instruction Fuzzy Hash: 64212922A4D74148EF547F9AA5403B8D150AF367E4F940730EF6D467CAEE7CA0839318

Function 00007FF7B85BA44C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7B85BA495
GetLastError.KERNEL32 ref: 00007FF7B85BA4A3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7B85B028E), ref: 00007FF7B85BA4D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7B85B028E), ref: 00007FF7B85BA4E6

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 8b623144414a10440eabf51239d1ed257e13474fb39b30ef0d4b909c3b566fa4
Instruction ID: 1c2099bd3654f0d9d2456bbf2b0af1a3463210ce95d04456e57382a22ddc54da
Opcode Fuzzy Hash: 8b623144414a10440eabf51239d1ed257e13474fb39b30ef0d4b909c3b566fa4
Instruction Fuzzy Hash: B0214C76A1CB4586E3109F15E44432EF6B4FBA9B90F540138EB8953B58CF3DD8468B14

Function 00007FF7B85925C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7B859262D

Part of subcall function 00007FF7B85BA404: MultiByteToWideChar.KERNEL32 ref: 00007FF7B85BA420
Part of subcall function 00007FF7B85BA404: GetLastError.KERNEL32 ref: 00007FF7B85BA42E

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7B85926CA

Part of subcall function 00007FF7B85B1380: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B85912FB), ref: 00007FF7B85B1483

Strings

Unknown exception, xrefs: 00007FF7B85929D7

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWidememcpy
String ID: Unknown exception
API String ID: 3269794198-410509341
Opcode ID: 875133cdc6b0287577d0eae591c5892374f0de79a45dd11bba635482a2eaf8d3
Instruction ID: c97615d83213b822ee133ad7e3e4219afa6492ab3351f355a53b69e9ec6a837a
Opcode Fuzzy Hash: 875133cdc6b0287577d0eae591c5892374f0de79a45dd11bba635482a2eaf8d3
Instruction Fuzzy Hash: 5331E0A2A1C78A41EB24AF5AD000668E295EF65FC8F905035EF6D07B88DF3CE492C344

Function 00007FF7B85B58F0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B592B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B595E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B597E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7B85B59AB

Memory Dump Source

Source File: 00000000.00000002.1964122326.00007FF7B8591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B8590000, based on PE: true

Associated: 00000000.00000002.1964104937.00007FF7B8590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964157789.00007FF7B85BE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964182926.00007FF7B85C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1964233213.00007FF7B85CC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7b8590000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5306c08254be4f25b98c8f182cf3566cb9460f253310b9e3e7ebdeb50e1a0d8a
Instruction ID: c795b7797a107e888bef5e6757cd5b0126bcf646c0f9319ee9d6e03c20be74fa
Opcode Fuzzy Hash: 5306c08254be4f25b98c8f182cf3566cb9460f253310b9e3e7ebdeb50e1a0d8a
Instruction Fuzzy Hash: AE212F2560DB4182EB15AF1AE55026AE361EFB5FD0F985031EF8E07B9DDE3CE4428364

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_5eddaabcaf5431d6a9e73f24f859e1829c34287e_8bd6df6a_fa43c35e-9b9c-45d3-8592-9ad6b35f7232\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3282.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER331F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER334F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.14656.24748.exe

Function 00007FF7B8591610 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Function 000001622CB00000 Relevance: .0, Instructions: 24
COMMON

Function 00007FF7B85BA518 Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Function 00007FF7B85BB480 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00007FF7B85943E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142
COMMON

Function 00007FF7B85AF1A0 Relevance: 16.6, APIs: 11, Instructions: 126
COMMON

Function 00007FF7B85B1840 Relevance: 15.1, APIs: 10, Instructions: 110
COMMON

Function 00007FF7B85AF5D0 Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Function 00007FF7B85B0400 Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Function 00007FF7B85B0890 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Function 00007FF7B85B1C30 Relevance: 13.6, APIs: 9, Instructions: 134
COMMON

Function 00007FF7B85AF760 Relevance: 10.8, APIs: 7, Instructions: 283
COMMON

Function 00007FF7B8592AA0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 184
COMMON

Function 00007FF7B85ACB80 Relevance: 10.7, APIs: 7, Instructions: 178
COMMON

Function 00007FF7B85ABED0 Relevance: 10.7, APIs: 7, Instructions: 178
COMMON