Edit tour

Windows Analysis Report
CSh#U0430rk F1 x.exe

Overview

General Information

Sample name:	CSh#U0430rk F1 x.exe renamed because original name is a hash value
Original sample name:	CShrk F1 x.exe
Analysis ID:	1532884
MD5:	152025c926edf53603411541f0f259c0
SHA1:	0be7af5fc1c37b723e97846acbea794e31300614
SHA256:	e9d09aee08577c911b177231aa238614dc119adb0a1e73ac148f4bac60eab8be
Tags:	exeuser-4k95m
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found API chain indicative of debugger detection

Found direct / indirect Syscall (likely to bypass EDR)

Queries memory information (via WMI often done to detect virtual machines)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to launch a program with higher privileges

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

CSh#U0430rk F1 x.exe (PID: 1772 cmdline: "C:\Users\user\Desktop\CSh#U0430rk F1 x.exe" MD5: 152025C926EDF53603411541F0F259C0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CSh#U0430rk F1 x.exe	ReversingLabs: Detection: 36%
Source: CSh#U0430rk F1 x.exe	Virustotal: Detection: 43%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.2% probability

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C948640 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsGetValue,TlsSetValue,HeapFree,HeapFree,

0_2_00007FF68C948640

Source: CSh#U0430rk F1 x.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9660B0 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,	0_2_00007FF68C9660B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9679F0 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree,	0_2_00007FF68C9679F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92C3C7 memcpy,memcmp,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,	0_2_00007FF68C92C3C7
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928CE1 memset,HeapFree,memcpy,memset,HeapFree,memcpy,GetComputerNameExW,GetComputerNameExW,GetLastError,HeapFree,HeapFree,HeapFree,memcpy,SysFreeString,SysFreeString,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetTickCount64,HeapFree,HeapFree,HeapFree,HeapFree,memset,GetErrorInfo,SysFreeString,SysFreeString,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,memcpy,CoInitializeEx,HeapFree,WaitForSingleObject,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,GetLastError,HeapFree,HeapFree,RegCreateKeyExW,HeapFree,RegOpenKeyExW,HeapFree,HeapFree,HeapFree,RegQueryValueExW,	0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C961CD0 NtQuerySystemInformation,GetErrorInfo,GetSystemTimePreciseAsFileTime,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,RtlFreeHeap,	0_2_00007FF68C961CD0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928CE1 memset,HeapFree,memcpy,memset,HeapFree,memcpy,GetComputerNameExW,GetComputerNameExW,GetLastError,HeapFree,HeapFree,HeapFree,memcpy,SysFreeString,SysFreeString,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetTickCount64,HeapFree,HeapFree,HeapFree,HeapFree,memset,GetErrorInfo,SysFreeString,SysFreeString,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,memcpy,CoInitializeEx,HeapFree,WaitForSingleObject,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,GetLastError,HeapFree,HeapFree,RegCreateKeyExW,HeapFree,RegOpenKeyExW,HeapFree,HeapFree,HeapFree,RegQueryValueExW,	0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92DC75 HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,	0_2_00007FF68C92DC75

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C94D5E0	0_2_00007FF68C94D5E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C929E90	0_2_00007FF68C929E90
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C925060	0_2_00007FF68C925060
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9660B0	0_2_00007FF68C9660B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C962880	0_2_00007FF68C962880
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9519C0	0_2_00007FF68C9519C0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C963170	0_2_00007FF68C963170
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93293F	0_2_00007FF68C93293F
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C96A140	0_2_00007FF68C96A140
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9681B0	0_2_00007FF68C9681B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C969AF0	0_2_00007FF68C969AF0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92C3C7	0_2_00007FF68C92C3C7
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928CE1	0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C961CD0	0_2_00007FF68C961CD0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C94AC60	0_2_00007FF68C94AC60
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C949DEE	0_2_00007FF68C949DEE
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C94C5F0	0_2_00007FF68C94C5F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C921E2D	0_2_00007FF68C921E2D
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C963E30	0_2_00007FF68C963E30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9555FF	0_2_00007FF68C9555FF
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C923610	0_2_00007FF68C923610
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92C546	0_2_00007FF68C92C546
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C925710	0_2_00007FF68C925710
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C967F10	0_2_00007FF68C967F10
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C948640	0_2_00007FF68C948640
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9527C0	0_2_00007FF68C9527C0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C924830	0_2_00007FF68C924830
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C958761	0_2_00007FF68C958761
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93F770	0_2_00007FF68C93F770
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C95B772	0_2_00007FF68C95B772
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C921E2D	0_2_00007FF68C921E2D
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92E7AA	0_2_00007FF68C92E7AA
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C963FB0	0_2_00007FF68C963FB0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93D0F0	0_2_00007FF68C93D0F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93F130	0_2_00007FF68C93F130
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C956935	0_2_00007FF68C956935
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9230FD	0_2_00007FF68C9230FD
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C968100	0_2_00007FF68C968100
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C953870	0_2_00007FF68C953870
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C935840	0_2_00007FF68C935840
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92E849	0_2_00007FF68C92E849
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9350B0	0_2_00007FF68C9350B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92E849	0_2_00007FF68C92E849
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C924080	0_2_00007FF68C924080
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9611E0	0_2_00007FF68C9611E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9339F0	0_2_00007FF68C9339F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9259D0	0_2_00007FF68C9259D0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C944A30	0_2_00007FF68C944A30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C95DA30	0_2_00007FF68C95DA30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93CA00	0_2_00007FF68C93CA00
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C933960	0_2_00007FF68C933960
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C9392E0	0_2_00007FF68C9392E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C926AE0	0_2_00007FF68C926AE0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C931A60	0_2_00007FF68C931A60
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928A40	0_2_00007FF68C928A40
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C923240	0_2_00007FF68C923240
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C968AB0	0_2_00007FF68C968AB0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C95E290	0_2_00007FF68C95E290
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C931A93	0_2_00007FF68C931A93
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C938BF0	0_2_00007FF68C938BF0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C951C30	0_2_00007FF68C951C30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C958404	0_2_00007FF68C958404
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928340	0_2_00007FF68C928340
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C94F340	0_2_00007FF68C94F340
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C958BB3	0_2_00007FF68C958BB3
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C959B86	0_2_00007FF68C959B86
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C928CE1	0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C95D4F0	0_2_00007FF68C95D4F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C935D10	0_2_00007FF68C935D10
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C951460	0_2_00007FF68C951460
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C933C70	0_2_00007FF68C933C70
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C923470	0_2_00007FF68C923470
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C92DC75	0_2_00007FF68C92DC75
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C93FC50	0_2_00007FF68C93FC50
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C958479	0_2_00007FF68C958479
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Code function: 0_2_00007FF68C943480	0_2_00007FF68C943480

Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2431851481.000001FEBEFFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs CSh#U0430rk F1 x.exe
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417878615.000001FEBEFE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs CSh#U0430rk F1 x.exe

Source: classification engine

Classification label: mal72.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C96A140 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo,

0_2_00007FF68C96A140

Source: CSh#U0430rk F1 x.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CSh#U0430rk F1 x.exe	ReversingLabs: Detection: 36%
Source: CSh#U0430rk F1 x.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	Section loaded: profapi.dll	Jump to behavior

Source: CSh#U0430rk F1 x.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: CSh#U0430rk F1 x.exe

Static file information: File size 30524416 > 1048576

Source: CSh#U0430rk F1 x.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1cba200

Source: CSh#U0430rk F1 x.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: CSh#U0430rk F1 x.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

API coverage: 5.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C94D5E0 HeapFree,HeapFree,HeapFree,GetSystemInfo,HeapFree,memset,memcpy,WakeByAddressAll,WakeByAddressSingle,memcpy,HeapFree,HeapReAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,HeapFree,

0_2_00007FF68C94D5E0

Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesd
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipesZ
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2414207059.000001FEBEADB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jlktlqfkpuggghd Bus Pipes
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF309000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition@
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor$
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes2
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409617032.000001FEBEACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Re
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitione0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service'
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl;
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Serviceg
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor3
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409580092.000001FEBD2BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ime Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409921608.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410092826.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408831349.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408899571.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410620969.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408985247.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410558008.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2409727867.000001FEBEAA3000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408813948.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410463963.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition.dll
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2414241239.000001FEBEADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle C
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisorr
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration ServiceEhN
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF320000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V jlktlqfkpuggghd Bus

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C92C3C7 memcpy,memcmp,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,

0_2_00007FF68C92C3C7

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-26124

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C9660B0 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_00007FF68C9660B0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Code function: 0_2_00007FF68C9211B9 SetUnhandledExceptionFilter,malloc,

0_2_00007FF68C9211B9

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	NtQueryInformationProcess: Indirect: 0x7FF68C96654C	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	NtQueryInformationProcess: Indirect: 0x7FF68C9666B1	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	NtQueryInformationProcess: Indirect: 0x7FF68C967A1C	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	NtQueryInformationProcess: Indirect: 0x7FF68C967AB4	Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe	NtQuerySystemInformation: Indirect: 0x7FF68C961D80	Jump to behavior

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

0_2_00007FF68C94D5E0

Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2430671978.000001FEBF09F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2425918312.000001FEBEEF6000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2416784373.000001FEBEC18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2425918312.000001FEBEEF6000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2416784373.000001FEBEC18000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2430671978.000001FEBF00C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndg

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

0_2_00007FF68C9660B0

Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	4 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CSh#U0430rk F1 x.exe	37%	ReversingLabs	Win64.Trojan.Generic
CSh#U0430rk F1 x.exe	43%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://excel.office.com	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://excel.office.com	CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532884
Start date and time:	2024-10-14 04:44:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CSh#U0430rk F1 x.exe renamed because original name is a hash value
Original Sample Name:	CShrk F1 x.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 54 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.998964526134545
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	CSh#U0430rk F1 x.exe
File size:	30'524'416 bytes
MD5:	152025c926edf53603411541f0f259c0
SHA1:	0be7af5fc1c37b723e97846acbea794e31300614
SHA256:	e9d09aee08577c911b177231aa238614dc119adb0a1e73ac148f4bac60eab8be
SHA512:	e88cb2eeba5c1ff9e7492235810a1b3eb5e959b8056320db92c02e69d7a3ed532f1051e508d64cfd280613dc008409c31b5c3a4e51f92f42eba52d4bab5b7797
SSDEEP:	786432:7+FxZO069sx0lLnKmv6dKfet6knoearZiBTMyicL9o:7+FiVaxoOmvPG8twDicL9
TLSH:	74673323E6F6F078C251C5769769FB33B672784544356D7703A4C232EF32B50AA2AB06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............+.......................@.............................0............`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F8910B [Sat Sep 28 23:28:11 2024 UTC]
TLS Callbacks:	0x40031530, 0x1, 0x4005bce0, 0x1, 0x4005bcb0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	55ed24bfeecf4f49e33cb0a4d5bfd645

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [01D16D05h]
mov dword ptr [eax], 00000001h
call 00007FF380E60BCFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [01D16CE5h]
mov dword ptr [eax], 00000000h
call 00007FF380E60BAFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FF380EBB33Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FF380E60E09h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 000000A8h
dec esp
mov edi, eax
dec eax
mov esi, ecx
dec eax
mov dword ptr [esp+30h], 00000000h
mov dword ptr [esp+2Ch], 00000000h
dec eax
mov eax, dword ptr [edx]
dec eax
lea ecx, dword ptr [esp+2Ch]
dec eax
mov dword ptr [esp+20h], ecx
dec esp
lea ecx, dword ptr [esp+30h]
dec eax
mov ecx, edx
mov edx, FFFFFFFFh
inc ecx
mov eax, 00000001h
call dword ptr [eax+20h]
mov ebx, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d1e000	0x1fe8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1d19000	0x1794	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d22000	0x190	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1d17d40	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d1e7e8	0x630	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bd28	0x5be00	bfb4382a5e7bcde055e9ff9583de025c	False	0.49288903061224487	data	6.413404924008895	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5d000	0x1d0	0x200	ce3e17351d1d3b499ab9333305532ec8	False	0.25	data	1.988519753064259	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5e000	0x1cba200	0x1cba200	53e785aebf4b732705f43c991cf8ca72	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x1d19000	0x1794	0x1800	f0b995c0b3e96002c47d36674443f70f	False	0.53466796875	data	5.783188408459832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1d1b000	0x1ee8	0x2000	cf3ea1763cd1f9e45839c89b1af4ab48	False	0.27197265625	data	4.757134924705069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x1d1d000	0x240	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1d1e000	0x1fe8	0x2000	6d685613f45298a11aed0aef9e200218	False	0.3179931640625	COM executable for DOS	4.898223466425682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1d20000	0x68	0x200	4be18360b3dbcc1279765669684d6708	False	0.076171875	data	0.40665232183492983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1d21000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d22000	0x190	0x200	c557b26b24530363429c5527c700861a	False	0.619140625	data	4.319290283426142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CheckRemoteDebuggerPresent, CloseHandle, CompareStringOrdinal, CreateDirectoryW, CreateFileW, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileW, FreeEnvironmentStringsW, GetComputerNameExW, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimePreciseAsFileTime, GetSystemTimes, GetTickCount64, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSection, InitializeProcThreadAttributeList, IsDebuggerPresent, K32GetPerformanceInfo, LeaveCriticalSection, LocalFree, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFileEx, ReadProcessMemory, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetThreadExecutionState, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UpdateProcThreadAttribute, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForSingleObject, WriteConsoleW, WriteFileEx, __C_specific_handler
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-private-l1-1-0.dll	memcmp, memcpy, memmove
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _exit, _fpreset, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, fwrite
api-ms-win-crt-string-l1-1-0.dll	memset, strlen, strncmp, wcslen
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _tzset
ADVAPI32.dll	CopySid, GetLengthSid, GetTokenInformation, IsValidSid, OpenProcessToken, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, SystemFunction036
ntdll.dll	NtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlGetVersion, RtlNtStatusToDosError
bcrypt.dll	BCryptGenRandom
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, PropVariantClear
oleaut32.dll	GetErrorInfo, SafeArrayAccessData, SafeArrayDestroy, SafeArrayUnaccessData, SysAllocStringLen, SysFreeString, SysStringLen, VariantClear
pdh.dll	PdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
powrprof.dll	CallNtPowerInformation
propsys.dll	PropVariantToBSTR, VariantToPropVariant
psapi.dll	GetModuleFileNameExW
shell32.dll	CommandLineToArgvW, ShellExecuteExW
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng

Target ID:	0
Start time:	22:45:04
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\CSh#U0430rk F1 x.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CSh#U0430rk F1 x.exe"
Imagebase:	0x7ff68c920000
File size:	30'524'416 bytes
MD5 hash:	152025C926EDF53603411541F0F259C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	58.3%
Total number of Nodes:	1274
Total number of Limit Nodes:	32

Executed Functions

Function 00007FF68C928CE1 Relevance: 172.4, APIs: 80, Strings: 16, Instructions: 4404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C928E4F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9290BA

Strings

0, xrefs: 00007FF68C92ADCD
&, xrefs: 00007FF68C9319F6
modnarod, xrefs: 00007FF68C9290E9
!, xrefs: 00007FF68C92DADC
setybdet, xrefs: 00007FF68C92910D
runas, xrefs: 00007FF68C92D83D
*, xrefs: 00007FF68C92DD82
uespemos, xrefs: 00007FF68C9290DC
modnarod, xrefs: 00007FF68C9299F9
arenegyl, xrefs: 00007FF68C9290FB
setybdet, xrefs: 00007FF68C929A18
arenegyl, xrefs: 00007FF68C929A06
ROOT\CIMV2, xrefs: 00007FF68C92A1E8, 00007FF68C92B3F3, 00007FF68C92B6B7, 00007FF68C92BA68, 00007FF68C92BC3F
?, xrefs: 00007FF68C92E483
uespemos, xrefs: 00007FF68C9299EC
#, xrefs: 00007FF68C92B1BF

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpymemset
String ID: !$#$&$*$0$?$ROOT\CIMV2$arenegyl$arenegyl$modnarod$modnarod$runas$setybdet$setybdet$uespemos$uespemos
API String ID: 1297977491-439218697
Opcode ID: c2f00b2d3f898928e690ef62f754f2acd97ef3a179b70cea7742a88de37be139
Instruction ID: c036ff571c81f66e979beb7880b23a15d6b4bccf2208a05cb794aa3b8379f540
Opcode Fuzzy Hash: c2f00b2d3f898928e690ef62f754f2acd97ef3a179b70cea7742a88de37be139
Instruction Fuzzy Hash: 2DA3A172608BC2C1EB608B15E4507AAB7A5FB89B90F504279DEED83B9ADF3CD145C740

Function 00007FF68C9660B0 Relevance: 98.7, APIs: 65, Instructions: 1199memorynativetimeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68C966156
GetSystemTimes.KERNEL32 ref: 00007FF68C966170
GetLastError.KERNEL32 ref: 00007FF68C966179
GetProcessIoCounters.KERNEL32 ref: 00007FF68C9662EE
OpenProcessToken.ADVAPI32 ref: 00007FF68C966391
GetTokenInformation.ADVAPI32 ref: 00007FF68C9663D4
GetLastError.KERNEL32 ref: 00007FF68C9663DD
GetProcessHeap.KERNEL32 ref: 00007FF68C966401
HeapAlloc.KERNEL32 ref: 00007FF68C96641F
GetTokenInformation.ADVAPI32 ref: 00007FF68C966441
GetLastError.KERNEL32 ref: 00007FF68C966481
GetLastError.KERNEL32 ref: 00007FF68C966495
CloseHandle.KERNEL32 ref: 00007FF68C96649D
GetLastError.KERNEL32 ref: 00007FF68C9664A6
NtQueryInformationProcess.NTDLL ref: 00007FF68C966547
ReadProcessMemory.KERNEL32 ref: 00007FF68C96657F
ReadProcessMemory.KERNEL32 ref: 00007FF68C9665AD
HeapFree.KERNEL32 ref: 00007FF68C966681
NtQueryInformationProcess.NTDLL ref: 00007FF68C9666AC

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Process$ErrorLast$Information$HeapToken$MemoryQueryRead$AllocCloseCountersFreeHandleOpenSystemTimes
String ID:
API String ID: 4058153894-0
Opcode ID: 72d162fd76748bdbc76d18bc7c16b29b6e8c184996938e4a4253b3f542c6b095
Instruction ID: 81e61644cd5fddfd84982950fa675cdfe3d7046757f104b60e6cdc2f4822a0f0
Opcode Fuzzy Hash: 72d162fd76748bdbc76d18bc7c16b29b6e8c184996938e4a4253b3f542c6b095
Instruction Fuzzy Hash: B3C27062A0CFC6C1EA648B25A044BBA67A4FF85784F444179DB9E837D6DF3CE494C780

Function 00007FF68C93293F Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 501
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?), ref: 00007FF68C932B77
HeapFree.KERNEL32 ref: 00007FF68C932BDE

Strings

main, xrefs: 00007FF68C9333B9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeapmemcpy
String ID: main
API String ID: 673829100-3207122276
Opcode ID: 90af126ca1d7c1501d5ff128086fc056b4161cf3c28cf52c8b4b9a717152444e
Instruction ID: 940ce780fe53171846ccb5c4b6c5037c92931654164e67d45993b47e2f474049
Opcode Fuzzy Hash: 90af126ca1d7c1501d5ff128086fc056b4161cf3c28cf52c8b4b9a717152444e
Instruction Fuzzy Hash: 39423D32A0CAC2C0EA609B12E4547EEA7A4FF89B84F444479DE9D87B9ADF3CD145C740

Function 00007FF68C92C3C7 Relevance: 46.5, APIs: 24, Strings: 2, Instructions: 963
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68C922C70: SysFreeString.OLEAUT32 ref: 00007FF68C922D03
Part of subcall function 00007FF68C922C70: SysFreeString.OLEAUT32 ref: 00007FF68C922D10

HeapFree.KERNEL32 ref: 00007FF68C92CA56

Part of subcall function 00007FF68C961800: TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96181E
Part of subcall function 00007FF68C961800: ProcessPrng.BCRYPTPRIMITIVES(?,?,?,00000000,?,00000000), ref: 00007FF68C96183D
Part of subcall function 00007FF68C961800: TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96186A
Part of subcall function 00007FF68C961800: TlsSetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96187A
Part of subcall function 00007FF68C961800: HeapFree.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C961890

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C92C661
HeapFree.KERNEL32 ref: 00007FF68C92C84D
HeapFree.KERNEL32 ref: 00007FF68C92C8F6
HeapFree.KERNEL32 ref: 00007FF68C92C92B

Strings

displayName, xrefs: 00007FF68C92C523, 00007FF68C92C5AD, 00007FF68C92C790
-, xrefs: 00007FF68C92D53D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$Value$String$PrngProcessmemcpy
String ID: -$displayName
API String ID: 2959858373-3971571706
Opcode ID: f6f9939959358322cbda09bdb7fa19cdad173ea95716748bf130ed501295fef3
Instruction ID: 92e30b097c0107cbda89579789d489f6ad697eca6dc52cb9e909993231b4e79e
Opcode Fuzzy Hash: f6f9939959358322cbda09bdb7fa19cdad173ea95716748bf130ed501295fef3
Instruction Fuzzy Hash: 4DB24A32609BC2C5EB708B15E4507AAB7A4FB88780F50417ADADD83B9AEF7CD145DB40

Function 00007FF68C94D5E0 Relevance: 41.7, APIs: 21, Strings: 2, Instructions: 1442memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C9527C0: HeapFree.KERNEL32 ref: 00007FF68C95283F
Part of subcall function 00007FF68C9527C0: HeapFree.KERNEL32 ref: 00007FF68C952850

HeapFree.KERNEL32 ref: 00007FF68C94D6BB
HeapFree.KERNEL32 ref: 00007FF68C94D755
HeapFree.KERNEL32 ref: 00007FF68C94D9F7
GetSystemInfo.KERNEL32 ref: 00007FF68C94DA27

Strings

RAYON_NUM_THREADSRAYON_RS_NUM_CPUSrunas, xrefs: 00007FF68C94D62E
RUST_MIN_STACKmain, xrefs: 00007FF68C94E7EF

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$InfoSystem
String ID: RAYON_NUM_THREADSRAYON_RS_NUM_CPUSrunas$RUST_MIN_STACKmain
API String ID: 738346042-1352447344
Opcode ID: ec33e4587758eaf02b3d2a3673f09fceae4b5a54935b90e45ba5d341cf886638
Instruction ID: 985b02df175a62f9afaad14858971d3b6cbc3dcbea2248ea230724d30986031f
Opcode Fuzzy Hash: ec33e4587758eaf02b3d2a3673f09fceae4b5a54935b90e45ba5d341cf886638
Instruction Fuzzy Hash: 02E28D22A09AC2C1EE758B15E4443BAB3A4FF94794F04867ADAAD837D6DF3CD595C300

Function 00007FF68C925060 Relevance: 31.8, APIs: 21, Instructions: 348
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF68C92512F
HeapFree.KERNEL32 ref: 00007FF68C92516C
HeapFree.KERNEL32 ref: 00007FF68C92534D
HeapFree.KERNEL32 ref: 00007FF68C92537D
HeapFree.KERNEL32 ref: 00007FF68C9253BD
HeapFree.KERNEL32 ref: 00007FF68C9253D6
HeapFree.KERNEL32 ref: 00007FF68C9253FC
HeapFree.KERNEL32 ref: 00007FF68C925415
HeapFree.KERNEL32 ref: 00007FF68C92542E
PdhRemoveCounter.PDH ref: 00007FF68C925486
CloseHandle.KERNEL32 ref: 00007FF68C9254DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseCounterHandleRemove
String ID:
API String ID: 1366079419-0
Opcode ID: 4827f3a5fb5b7dacc80f42c388b2e12bd98189e7dd688a3d2695921db36c4424
Instruction ID: 7794c6b8ff6a5a27665d9f1587534b9bac26393ce46efd3e5132f64fd26f337a
Opcode Fuzzy Hash: 4827f3a5fb5b7dacc80f42c388b2e12bd98189e7dd688a3d2695921db36c4424
Instruction Fuzzy Hash: C3E1B222A09AC6C1FF248B6594547B853A1BF48B54F4841BAEABD977D2DF7CE481C340

Function 00007FF68C961CD0 Relevance: 30.3, APIs: 15, Strings: 2, Instructions: 576
nativetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF68C961D7B
GetErrorInfo.OLEAUT32 ref: 00007FF68C961D9B
GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00007FF68C961F01

Strings

unknownARM x64CPU , xrefs: 00007FF68C962CB1
0, xrefs: 00007FF68C9629EB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: SystemTime$ErrorFileInfoInformationPreciseQuery
String ID: 0$unknownARM x64CPU
API String ID: 158570166-152856199
Opcode ID: 94f9efa7abc8a8c3ead84d508a0ffa3114447b49c959072b847552d122f56c88
Instruction ID: 935c5bf172671f9f0ba9b22348804a90832841a086a6ce64fea8aec391df58c6
Opcode Fuzzy Hash: 94f9efa7abc8a8c3ead84d508a0ffa3114447b49c959072b847552d122f56c88
Instruction Fuzzy Hash: 3142C132A08FC5C1EA658B25A404BFAA3A4FF95784F448239DF9D96AD6DF3CD184C740

Function 00007FF68C921E2D Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C921E66
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeString$memcpy
String ID: 0
API String ID: 533883584-4108050209
Opcode ID: 50b96330b10b7d47c9f5546d11b14d233ea469d038f212d2914e309df0be2ac2
Instruction ID: fe77f8c1799e7075c4d741bf5813689562022d24dca34a2a8fa51a9d43356fe8
Opcode Fuzzy Hash: 50b96330b10b7d47c9f5546d11b14d233ea469d038f212d2914e309df0be2ac2
Instruction Fuzzy Hash: 8C429132A0CBC1C1EA318B15A4507FAA7A0FF99794F404179DAEC93A9AEF3CD555CB40

Function 00007FF68C92DC75 Relevance: 24.3, APIs: 16, Instructions: 254
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF68C92DDFB
HeapFree.KERNEL32 ref: 00007FF68C92DE0C
QueryPerformanceCounter.KERNEL32 ref: 00007FF68C92DE1F
QueryPerformanceFrequency.KERNEL32 ref: 00007FF68C92DE4B
QueryPerformanceCounter.KERNEL32 ref: 00007FF68C92DEE5
QueryPerformanceFrequency.KERNEL32 ref: 00007FF68C92DF11

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: PerformanceQuery$CounterFreeFrequencyHeap
String ID:
API String ID: 3102513981-0
Opcode ID: ad587353745b02789d553ddf97c86c22643eacc695827c5e987124cabeee557f
Instruction ID: 8a86c0a1df6d4cf35d7a441f500b1e2c6df730ec275dd1d3131b2fe94a5402d5
Opcode Fuzzy Hash: ad587353745b02789d553ddf97c86c22643eacc695827c5e987124cabeee557f
Instruction Fuzzy Hash: AAA1F922F0D6C2C2FE24DA59A4647B96295BF98780F044079DE9E86BD7CF7CE542C740

Function 00007FF68C9681B0 Relevance: 17.0, APIs: 11, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010ce4dc0debaf448ef07b04937072c59ac8582eff4e42d97f0964fba0fdaa43
Instruction ID: 2b3ffb553646563f04b4ccc01941c1a4ad161cb65882d1019756048c7e68dd51
Opcode Fuzzy Hash: 010ce4dc0debaf448ef07b04937072c59ac8582eff4e42d97f0964fba0fdaa43
Instruction Fuzzy Hash: EA12D622A18FC5C1EA218B25A40076AA7A0FF45BD4F55427AEF8D93B96EF3CD181C344

Function 00007FF68C963170 Relevance: 10.8, APIs: 7, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b46481683bb0d36841eaf31f2bd210b0632c0c5a82eee86814717a4cbdc2a3
Instruction ID: 2970dd379c4e455d1d5f53ba58c339fa4b00609e69b5d7374f58621a2bb9b791
Opcode Fuzzy Hash: 60b46481683bb0d36841eaf31f2bd210b0632c0c5a82eee86814717a4cbdc2a3
Instruction Fuzzy Hash: 57F16A32A19FC5C1EA618B15E4407AAB3A4FBD9794F40422ADBDD53B9AEF3CD190C740

Function 00007FF68C962880 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FF68C9628C6
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C962CEC
HeapFree.KERNEL32 ref: 00007FF68C962D05

Strings

0, xrefs: 00007FF68C9629EB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeapInfoSystemmemcpy
String ID: 0
API String ID: 3308777956-4108050209
Opcode ID: 404353b3a8d039b486dee1d3b9b6aac3da3c49f61fbbb9e39aa0790207e85432
Instruction ID: 04f1cf6105b64e716eeb808797c1ee7bf37471e238f94f94a6c4eb970c930628
Opcode Fuzzy Hash: 404353b3a8d039b486dee1d3b9b6aac3da3c49f61fbbb9e39aa0790207e85432
Instruction Fuzzy Hash: E1E16B32A0CFC185EA618B15A4417EAA7A4FF88784F054179DF8D97B9ADF3CE141C780

Function 00007FF68C94AC60 Relevance: 9.4, APIs: 6, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f43a0b68f04ca8f2b4c0bf9bf4dbe044ff7a6c630ae721857b81b1962a1ae6
Instruction ID: 254b56e7df3f5cebbb01fe9feef8b6dfba930e4e263f46a4298ae03c44c309ee
Opcode Fuzzy Hash: d4f43a0b68f04ca8f2b4c0bf9bf4dbe044ff7a6c630ae721857b81b1962a1ae6
Instruction Fuzzy Hash: F3029272A09BCAC1EE758A25D4403BE6391FF58BA0F14817ADA7E87796DF2CE451C304

Function 00007FF68C92C546 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 549COMMON

Download Yara Rule

Strings

ROOT\CIMV2, xrefs: 00007FF68C92A1E8

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: ROOT\CIMV2
API String ID: 0-2786109267
Opcode ID: 1d8217cd8db557e39bf23c92d629e505a4cac9bec28c7c1899340a9821643011
Instruction ID: 10b8b6c590012c46bef13ad0d22bff8f8a5dacfc2e1a0ef1a983fe2cf681a5de
Opcode Fuzzy Hash: 1d8217cd8db557e39bf23c92d629e505a4cac9bec28c7c1899340a9821643011
Instruction Fuzzy Hash: 5C527E72609BC2C5EB608B15E4503AA77A4FB98B80F04917ADEDD83B9ADF3CD550D780

Function 00007FF68C96A140 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF68C96A206
CoSetProxyBlanket.OLE32 ref: 00007FF68C96A23A
GetErrorInfo.OLEAUT32 ref: 00007FF68C96A262
GetErrorInfo.OLEAUT32 ref: 00007FF68C96A295
SysFreeString.OLEAUT32 ref: 00007FF68C96A2B5
GetErrorInfo.OLEAUT32 ref: 00007FF68C96A2EC

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorInfo$FreeString$BlanketProxy
String ID:
API String ID: 1303109439-0
Opcode ID: 664f7aab06423971a46c950386747f7de9d8e0b1d85871583196955750c8c1f6
Instruction ID: a8f80e53c6ba411a71b95d1e0fb86c6f5d098e54d3af4e828f14abfc1b066188
Opcode Fuzzy Hash: 664f7aab06423971a46c950386747f7de9d8e0b1d85871583196955750c8c1f6
Instruction Fuzzy Hash: BD515E22609AC1C2EF549F65E45476BA7A0FF84B94F048079EF8A87B96DFBDD044C740

Function 00007FF68C968100 Relevance: 7.9, APIs: 5, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d6fb625223bc6a466778d85b122ec81e49a204b46f79ff25f746334822ed48
Instruction ID: e844f7bcc89e0bccbc195412e415a94faeb2259da0bc92c8392082b8e1f91c8f
Opcode Fuzzy Hash: 21d6fb625223bc6a466778d85b122ec81e49a204b46f79ff25f746334822ed48
Instruction Fuzzy Hash: 92F11262A18BC181EB208B15E40077AA7A0FF85794F55823AEB9D93FD6EF7CD581C344

Function 00007FF68C9679F0 Relevance: 7.6, APIs: 5, Instructions: 83memorynativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007FF68C967A17
GetErrorInfo.OLEAUT32 ref: 00007FF68C967A38
NtQueryInformationProcess.NTDLL ref: 00007FF68C967AAF
HeapFree.KERNEL32(?,?), ref: 00007FF68C967ADA
HeapFree.KERNEL32(?,?), ref: 00007FF68C967AED

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeapInformationProcessQuery$ErrorInfo
String ID:
API String ID: 2435025923-0
Opcode ID: 5c65f84ea6d1147ced56518bcf66d3a2bb71d6ab04ee36ab2beacc505ef9b98c
Instruction ID: aabf79091a0f188b12ab757227032b5520e0e6c712f08b0b346e0fbbecda3192
Opcode Fuzzy Hash: 5c65f84ea6d1147ced56518bcf66d3a2bb71d6ab04ee36ab2beacc505ef9b98c
Instruction Fuzzy Hash: 9B319062B09A82C1FF249B62E540B7E66A0BF88B84F544179DB4EC7BD6DE3DD541C340

Function 00007FF68C929E90 Relevance: 4.9, APIs: 3, Instructions: 395COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C969300: memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C969361
Part of subcall function 00007FF68C969300: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF68C969423
Part of subcall function 00007FF68C969300: GetLastError.KERNEL32 ref: 00007FF68C96942C
Part of subcall function 00007FF68C969300: K32GetPerformanceInfo.KERNEL32 ref: 00007FF68C969472
Part of subcall function 00007FF68C969300: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C96950A

Part of subcall function 00007FF68C969530: GetLastError.KERNEL32 ref: 00007FF68C969570
Part of subcall function 00007FF68C969530: K32GetPerformanceInfo.KERNEL32 ref: 00007FF68C9695B2

GetComputerNameExW.KERNEL32 ref: 00007FF68C929EF1
GetLastError.KERNEL32 ref: 00007FF68C929F29

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$InfoPerformance$ComputerGlobalMemoryNameStatusmemcpymemset
String ID:
API String ID: 1427969580-0
Opcode ID: c3693956cab937d82499779056128ff5bd833bd7ceab96c91af5f4835c35b8a2
Instruction ID: d46ea48dbdbe146842effa96d0200c24116226018ff44dd50fbb379e29434689
Opcode Fuzzy Hash: c3693956cab937d82499779056128ff5bd833bd7ceab96c91af5f4835c35b8a2
Instruction Fuzzy Hash: 7232C236649BC295EA70CB15F4507AAB7A8FB88740F504129DADC83F6AEF7CC154DB80

Function 00007FF68C969AF0 Relevance: 1.5, APIs: 1, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e2f1d2d7ec97dde5930c35012a2fffab26fb9b9f91ba01edaa8fd4d8e2d5f8
Instruction ID: 8adc2c5634da276786361b969a1bcefa362617498b35aa16efdb15d59ff8728e
Opcode Fuzzy Hash: 82e2f1d2d7ec97dde5930c35012a2fffab26fb9b9f91ba01edaa8fd4d8e2d5f8
Instruction Fuzzy Hash: 4F916622F18DC2C5EFA88A25D51077A6A91FF44798F054279EB6E87BD6DE3CE140D340

Function 00007FF68C9519C0 Relevance: 1.4, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00007FF68C953011), ref: 00007FF68C951B84

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bf0c95b33f9936904ae2765593f19029f3ccad539fe360f583df4964aecb7a38
Instruction ID: 2d980ee60e004be5483ee5f260ba960ca516691e4a01964cdd30c3409f1df43a
Opcode Fuzzy Hash: bf0c95b33f9936904ae2765593f19029f3ccad539fe360f583df4964aecb7a38
Instruction Fuzzy Hash: 67511413A0D6C1C6FB314A29A55037B6B50FB59389F045279EE8E86BDAEE3CD285C740

Function 00007FF68C9221B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF68C92232D
GetErrorInfo.OLEAUT32 ref: 00007FF68C922391
SysFreeString.OLEAUT32 ref: 00007FF68C9223A3
PropVariantClear.OLE32 ref: 00007FF68C9223B0
SysFreeString.OLEAUT32 ref: 00007FF68C922465
VariantClear.OLEAUT32 ref: 00007FF68C922582
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeString$ClearErrorInfoVariant$Prop
String ID: 0
API String ID: 2610251959-4108050209
Opcode ID: 6eab7ecc527cd6b100ef869782f59566a180efc7fc42f5945f2686aca6c5a658
Instruction ID: b34316ab3fa094c0113be7bf790e6c3f4caef8e979cad02a032fd129afd7d817
Opcode Fuzzy Hash: 6eab7ecc527cd6b100ef869782f59566a180efc7fc42f5945f2686aca6c5a658
Instruction Fuzzy Hash: 99D14C3250CBC1C1EA618B15E4543EEB7A0FF99784F40812ADADD87A9ADF7CD285CB40

Function 00007FF68C94CE20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C94CF60
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C94CF72
WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C94D00A
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C94D01C
HeapFree.KERNEL32 ref: 00007FF68C94D0C2
HeapFree.KERNEL32 ref: 00007FF68C94D125

Strings

main, xrefs: 00007FF68C94CE5D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AddressWake$FreeHeapSingle
String ID: main
API String ID: 1649007778-3207122276
Opcode ID: 0eee47087b09b15adbed62e8ce99d87e6b254d707d7f10c0f315e2e8a79f985e
Instruction ID: 6f4b303b25df76c7e7d9fa2cf107939210193b774a1fb2899ce6c9f17cd24bce
Opcode Fuzzy Hash: 0eee47087b09b15adbed62e8ce99d87e6b254d707d7f10c0f315e2e8a79f985e
Instruction Fuzzy Hash: D1A18926A09AC2C0EE76DB11D4547BA2364FF84B94F4485BACA6D876D7CF3CE556C300

Function 00007FF68C921BA3 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32 ref: 00007FF68C921C1B
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeString$AllocHeap
String ID: 0
API String ID: 1043762764-4108050209
Opcode ID: 5a6a86b9f585299c8f94c9f7da16dc03b2a7cdd5659d10d2a8e0097ee878783e
Instruction ID: 3475293242b491fa271fcc07e0f4f325805c179a6004f5328f14a43b4a5a04a1
Opcode Fuzzy Hash: 5a6a86b9f585299c8f94c9f7da16dc03b2a7cdd5659d10d2a8e0097ee878783e
Instruction Fuzzy Hash: 5D919022A09BC1C1EA618B15A5103BAA7A0FF99794F448179DFED87B97DF3DE184C700

Function 00007FF68C921D76 Relevance: 12.2, APIs: 8, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C921E66
HeapFree.KERNEL32 ref: 00007FF68C922BA4
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$String$Heapmemcpy
String ID:
API String ID: 3504077463-0
Opcode ID: e8567a9c3bf3687e89b2600cf35a55f5b7f8d48fc6451cf66221d7e8e7d28ffe
Instruction ID: 800de287362ac7a5afb5eb3e062b25f563dadc4ca6b341b0c85cc507bc408f33
Opcode Fuzzy Hash: e8567a9c3bf3687e89b2600cf35a55f5b7f8d48fc6451cf66221d7e8e7d28ffe
Instruction Fuzzy Hash: 88B14736608BC2C1EA718B15E4503EAB7A0FB99B50F44816ADAEC93B5ADF7CD055CB40

Function 00007FF68C969300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68C961800: TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96181E
Part of subcall function 00007FF68C961800: ProcessPrng.BCRYPTPRIMITIVES(?,?,?,00000000,?,00000000), ref: 00007FF68C96183D
Part of subcall function 00007FF68C961800: TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96186A
Part of subcall function 00007FF68C961800: TlsSetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96187A
Part of subcall function 00007FF68C961800: HeapFree.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C961890

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C969361
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF68C969423
GetLastError.KERNEL32 ref: 00007FF68C96942C
K32GetPerformanceInfo.KERNEL32 ref: 00007FF68C969472
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C96950A

Strings

@, xrefs: 00007FF68C969416

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$ErrorFreeGlobalHeapInfoLastMemoryPerformancePrngProcessStatusmemcpymemset
String ID: @
API String ID: 3165673868-2766056989
Opcode ID: b76efeba4d025d127e61280de1f7f9ee75442c8425cd8478e6d8daa1e541982f
Instruction ID: 4d791216faafcd7d495170a91e6f663414b612a9512fb7cfa56d7c8264542ee5
Opcode Fuzzy Hash: b76efeba4d025d127e61280de1f7f9ee75442c8425cd8478e6d8daa1e541982f
Instruction Fuzzy Hash: 59515022908BC481E6724B15B5067EBA3A4FFE5398F005225EFC846796DF7DD195CB40

Function 00007FF68C95EDE0 Relevance: 9.2, APIs: 6, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95EE79
HeapFree.KERNEL32 ref: 00007FF68C95EE8A
GetLastError.KERNEL32 ref: 00007FF68C95EE8F
HeapFree.KERNEL32 ref: 00007FF68C95EF1A
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95EF59
HeapFree.KERNEL32 ref: 00007FF68C95EFB3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$AddressErrorLastSingleWake
String ID:
API String ID: 3127715783-0
Opcode ID: 734e49fb8617a3af6298d840acb8ab1c02d29611af1ba24242b38459b2f4e35c
Instruction ID: f56d967cb62fe8ed305438970eaec7deef3ec274734852fc934200e28ccf6cd4
Opcode Fuzzy Hash: 734e49fb8617a3af6298d840acb8ab1c02d29611af1ba24242b38459b2f4e35c
Instruction Fuzzy Hash: 4751DD22B09A81C0EF158B1A954577863A1BF89BD4F4845B9DE2C873D6DF3EE4A2C340

Function 00007FF68C961800 Relevance: 9.1, APIs: 6, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96181E
ProcessPrng.BCRYPTPRIMITIVES(?,?,?,00000000,?,00000000), ref: 00007FF68C96183D
TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96186A
TlsSetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96187A
HeapFree.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C961890
TlsGetValue.KERNEL32(00000000,?,?), ref: 00007FF68C9618B9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeapPrngProcess
String ID:
API String ID: 388412035-0
Opcode ID: 34dcdeee4dee11479e325f0e0622038de2bfec91b8c405699dbc1b2f8ce104e3
Instruction ID: 583365a601ee8aa1774a8a3ab6cf41568a9cffeb4426fc22fb44ab66f7b5ed0f
Opcode Fuzzy Hash: 34dcdeee4dee11479e325f0e0622038de2bfec91b8c405699dbc1b2f8ce104e3
Instruction Fuzzy Hash: 0611D512E1CAD2C2FD516B295401AF95394BF84B84F0945F9EB1DC63D7EE2CA941C2C0

Function 00007FF68C9222EF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
VariantClear.OLEAUT32 ref: 00007FF68C922614
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ClearFreeStringVariant
String ID: 0
API String ID: 1438600931-4108050209
Opcode ID: 16726975d860eaa7f1254062617b8c724505dedeb5f48dd1b4d932c88057d4fa
Instruction ID: 609f48011feb7ee13d38d468b7227091e06966b845516ee60de1949c512b0565
Opcode Fuzzy Hash: 16726975d860eaa7f1254062617b8c724505dedeb5f48dd1b4d932c88057d4fa
Instruction Fuzzy Hash: F591712290CBC1C1EB618B15A4543FAA7A0FF99794F049169EFDD47A5ADF3CD184DB00

Function 00007FF68C922297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: 0
API String ID: 3349467263-4108050209
Opcode ID: 6147ada7f8d6e25529f485fa3d6e16ace8d939be2c7e5330dccd9f391041c411
Instruction ID: 4a50e2c19553aa635ab569557261c8165449a20eb0b8c57c6f5082dae5c3faf9
Opcode Fuzzy Hash: 6147ada7f8d6e25529f485fa3d6e16ace8d939be2c7e5330dccd9f391041c411
Instruction Fuzzy Hash: 1E81902290CBC1C1EB718B15A4503FAA7A0FF99794F049269EFDC46A9ADF3CD184DB00

Function 00007FF68C922179 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: c6b8a1ce5dd03108380de8e64f0e0fac7cd0ebd15bc6e32e298071760cb54781
Instruction ID: cb9b4a7baefddd78d3e29f18498908a58f84a940c4b8c4e43002fdd131bfcb74
Opcode Fuzzy Hash: c6b8a1ce5dd03108380de8e64f0e0fac7cd0ebd15bc6e32e298071760cb54781
Instruction Fuzzy Hash: BB71922290CBC1C1EA618B15A4543FAA760FF99794F049169EFDD47AAADF3CE184DB00

Function 00007FF68C922180 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 564480c60182985c9452a61c710d257081c7f7dbaf9c75ac7740f02244e63b6c
Instruction ID: 4483e7251ade4a97f13b1f57d809a79a7e7c7fdec70d7d6e47a0e74e8b644e02
Opcode Fuzzy Hash: 564480c60182985c9452a61c710d257081c7f7dbaf9c75ac7740f02244e63b6c
Instruction Fuzzy Hash: 4371932290CBC1C1EA718B15A4543FAA760FF99794F049169EFDD46A9ADF3CE184DB00

Function 00007FF68C922187 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 1b796a38eaf38446c701e0270b4a8d1ee555bef9b63cb918b38a30d2e8887200
Instruction ID: b8fda85bbec125d371b6e5e65e2bd7063079dbbcee0b4a933aa46e2452c84afd
Opcode Fuzzy Hash: 1b796a38eaf38446c701e0270b4a8d1ee555bef9b63cb918b38a30d2e8887200
Instruction Fuzzy Hash: 3F71922290CBC1C1EA618B15A4543FAA760FF99794F049169EFDD47A9ADF3CE184DB00

Function 00007FF68C92218E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: beb5654029c2a211afd2580c65c805563ed4fd74d385d7579cb12a079e88c266
Instruction ID: e917093f9a25c449bd928ec07eb8cce310f8345f909168ed030e528cb9ddff4f
Opcode Fuzzy Hash: beb5654029c2a211afd2580c65c805563ed4fd74d385d7579cb12a079e88c266
Instruction Fuzzy Hash: 8A71A22290CBC1C1EA718B15A4543FAA760FF99794F048269EFDD46A9ADF3CE184DB00

Function 00007FF68C922192 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 8988ad5062aa89244ae3a1d29d4ed7a256133406256190dd49d75299c8a518df
Instruction ID: 375bd5fc41f52cdc5b718b7af3ead22fa09b1dddecbe856e631383c2fd165ff5
Opcode Fuzzy Hash: 8988ad5062aa89244ae3a1d29d4ed7a256133406256190dd49d75299c8a518df
Instruction Fuzzy Hash: 5B71932290CBC1C1EA618B15A4543FAA760FF99794F049169EFDD47A9ADF3CD184DB00

Function 00007FF68C9222CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 4fd00093b7225960ba2e72bc119ee02ddbe58509c2fe2c93718b981c0bc26b2b
Instruction ID: 43552a7694db96b07ae986071cf5c3527814637157b138fa06579f127d4764a7
Opcode Fuzzy Hash: 4fd00093b7225960ba2e72bc119ee02ddbe58509c2fe2c93718b981c0bc26b2b
Instruction Fuzzy Hash: EF71922290CBC1C1EA618B15A4543FAB760FF99794F049169EFDD47A9ADF3CE184DB00

Function 00007FF68C922199 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 620cc0f113c21af176d93d5debed8c17721061c8d98184afe3875defacb8c97d
Instruction ID: 1761af02239f21cbcee070bb6706bf67e25b826a79dd14bb6da09c4147e91f1a
Opcode Fuzzy Hash: 620cc0f113c21af176d93d5debed8c17721061c8d98184afe3875defacb8c97d
Instruction Fuzzy Hash: 8E71922290CBC1C1EA618B15A4543FAA760FF99794F049269EFDD46A9ADF3CD184DB00

Function 00007FF68C9222E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: fb0d792b1007b19c6b9899c9fcc4661a454a4c9b08b0c3954f4b19b1b32c6ba6
Instruction ID: 1abe416bec05e5fea42bf88a7853c37b724662c498a7d3033595506df45c57bb
Opcode Fuzzy Hash: fb0d792b1007b19c6b9899c9fcc4661a454a4c9b08b0c3954f4b19b1b32c6ba6
Instruction Fuzzy Hash: 6F71922290CBC1C1EA618B15A4543FAA7A0FF99794F049169EFDD46A9ADF3CD184DB00

Function 00007FF68C9222BF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 1f80f77591d0f520a73befd0e5872e2b69754110f9ce0dd4e19df9bdeb61043a
Instruction ID: fa8eabeb9d3c62159cde9a5dff24e91d6b940afc3d1a2167d0d3754322913508
Opcode Fuzzy Hash: 1f80f77591d0f520a73befd0e5872e2b69754110f9ce0dd4e19df9bdeb61043a
Instruction Fuzzy Hash: 7871922290CBC1C1EA618B15A4543FAA760FF99794F049169EFDD47A9ADF3CD184DB00

Function 00007FF68C9222D2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 0a135da4df8ee1c6b8c5c71998eefddacecb05601b72a300ec0639f51453dfe6
Instruction ID: 34f415c1ceb881634f909959037e55fa1ac0393a62208f7234b581e08ebd4a05
Opcode Fuzzy Hash: 0a135da4df8ee1c6b8c5c71998eefddacecb05601b72a300ec0639f51453dfe6
Instruction Fuzzy Hash: 3E71922290CBC1C1EA618B15A4543FAB7A0FF99794F049169EFDD47A9ADF3CE184DB00

Function 00007FF68C92207D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: f8697c42da3c062860e12baf046b33b2f09704da1171ef1ca60e6057338b5d06
Instruction ID: e86eb1536ee6d45b90bec1e23112b169bbe2d2874806c1a62e773505035647ad
Opcode Fuzzy Hash: f8697c42da3c062860e12baf046b33b2f09704da1171ef1ca60e6057338b5d06
Instruction Fuzzy Hash: CE71942290CBC1C1EB618B15A4543FAA760FF99794F048169EFDD47A9ADF3CD184DB00

Function 00007FF68C9221A9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
VariantClear.OLEAUT32 ref: 00007FF68C922614
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$ClearStringVariant$Process
String ID: 0
API String ID: 755876286-4108050209
Opcode ID: 9e353414226e72e5f34c286b5d359e5d68590ca7faa4d5afc437f796dfbfa195
Instruction ID: 6bc92fda3e154a0e8f2b268a9053f7fca563f77f6c892c076c85242da0fce786
Opcode Fuzzy Hash: 9e353414226e72e5f34c286b5d359e5d68590ca7faa4d5afc437f796dfbfa195
Instruction Fuzzy Hash: 6A71932290CBC1C1EA618B15A4543FAA760FF99794F049169EFDD47A9ADF3CD184DB00

Function 00007FF68C9220B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF68C922582
GetProcessHeap.KERNEL32 ref: 00007FF68C9225DB
HeapFree.KERNEL32 ref: 00007FF68C9225E8
HeapFree.KERNEL32 ref: 00007FF68C92299D
HeapFree.KERNEL32 ref: 00007FF68C9229F0
SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Free$Heap$String$ClearProcessVariant
String ID: 0
API String ID: 1035934229-4108050209
Opcode ID: 9903c134b1e95f4037bfcbe0ef5b3c97beb4909e0bc72f8fc7ff2f9048e1564b
Instruction ID: d2842ac2ebb3572961623db9060f03744ed64b4f40b001068e30e4e17371b33a
Opcode Fuzzy Hash: 9903c134b1e95f4037bfcbe0ef5b3c97beb4909e0bc72f8fc7ff2f9048e1564b
Instruction Fuzzy Hash: CD51C322A0CBC1C1EE608B11A5107BA6760FF99798F058178EEED87A97DF3DE584D700

Function 00007FF68C9677D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?), ref: 00007FF68C967852
GetLastError.KERNEL32(?), ref: 00007FF68C967875
HeapFree.KERNEL32(?), ref: 00007FF68C9678AF

Strings

ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU , xrefs: 00007FF68C96788D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorFreeHeapLastMemoryProcessRead
String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataIntel x86MIPSRISC AlphaPPCSHXARMIntel Itanium-based x64RISC Alpha x64MSIL(Intel or AMD) x64Intel Itanium-based x86unknownARM x64CPU
API String ID: 2093145822-811746041
Opcode ID: 1c78e0e252bebcd70450fce440d472f6a1e3912144bb1b639d284620a718b5bd
Instruction ID: 1f1b8ea3f8d5774bf4c22ef4696ea5fb10a9db67f5f626847c80925c7e84cd20
Opcode Fuzzy Hash: 1c78e0e252bebcd70450fce440d472f6a1e3912144bb1b639d284620a718b5bd
Instruction Fuzzy Hash: 1021C562A09A86C2EA208B12BD40F7A6294FF54794F4441B8EFAD877D2EF3CE441C340

Function 00007FF68C922C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF68C922D03
SysFreeString.OLEAUT32 ref: 00007FF68C922D10

Strings

0, xrefs: 00007FF68C922E06

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeString
String ID: 0
API String ID: 3341692771-4108050209
Opcode ID: 9cf80296f7dcd9bb6860b465af560b1e347520fcc812bf89a4befe40bf19f7a9
Instruction ID: ad485d363abe6012a31ead5b2073f4b6e2bc8c87821323a030d76d2bbf327eb4
Opcode Fuzzy Hash: 9cf80296f7dcd9bb6860b465af560b1e347520fcc812bf89a4befe40bf19f7a9
Instruction Fuzzy Hash: 63418121A0CBC181EA619B11A5107BAA760FF997C8F059168EEDD47A9BDF3DE184C700

Function 00007FF68C969530 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF68C969570
K32GetPerformanceInfo.KERNEL32 ref: 00007FF68C9695B2

Strings

@, xrefs: 00007FF68C96955A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorInfoLastPerformance
String ID: @
API String ID: 3053874364-2766056989
Opcode ID: 077ea24f6a704ab3d0dc759e6e37f1d8599cac4a79e9985e6193cf203958e506
Instruction ID: 931d4c2bc1407c9ee1099fb2bfba79911d21695a27cd818258902a09f974f090
Opcode Fuzzy Hash: 077ea24f6a704ab3d0dc759e6e37f1d8599cac4a79e9985e6193cf203958e506
Instruction Fuzzy Hash: A0216411A08EC492EA324B29A4067E6A3B5BFE43A8F005315FBDC86795DF7ED156CB40

Function 00007FF68C950240 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,-00000008,?,-00000001), ref: 00007FF68C9502BC
GetLastError.KERNEL32(?,-00000008,?,-00000001), ref: 00007FF68C9502C6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AddressErrorLastWait
String ID:
API String ID: 1574541344-0
Opcode ID: 586061fe2e34f20f9e263b912a46c327c4bdf149aa0d38205655db5478124066
Instruction ID: f0309ae49e8634ea340acfb0b84df311ddc57a48b1b785376caff1af0df6156e
Opcode Fuzzy Hash: 586061fe2e34f20f9e263b912a46c327c4bdf149aa0d38205655db5478124066
Instruction Fuzzy Hash: 21213032B0C4C2C6FE358A15A45127D66A0BF80789F0481F8DB8ECBAC6DE3CE942C740

Function 00007FF68C951910 Relevance: 4.5, APIs: 3, Instructions: 46sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF68C951973
CloseHandle.KERNEL32 ref: 00007FF68C95197D
Sleep.KERNEL32 ref: 00007FF68C9519A4

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: CloseHandleObjectSingleSleepWait
String ID:
API String ID: 640476663-0
Opcode ID: 87bdda77e8f7f0b28803330721d76a66ae64b95234273b2e9e0ddbcfa9fb1289
Instruction ID: ab65fad520f0fa9e5ad6d739385ccae7d9509efd47bbd930115e3f818a54347d
Opcode Fuzzy Hash: 87bdda77e8f7f0b28803330721d76a66ae64b95234273b2e9e0ddbcfa9fb1289
Instruction Fuzzy Hash: 1A01B552B0CAC281FE64A236B621B7951496F857F0F144279EEAE86BD7DE2C9441C241

Function 00007FF68C96A080 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF68C96A0E8
GetErrorInfo.OLEAUT32 ref: 00007FF68C96A11C

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorInfo
String ID:
API String ID: 3619768924-0
Opcode ID: 5974e859057a934ac2e84da0e3abebde45f6dcb029ad41c2b9ae45ae016a50a4
Instruction ID: 4561517c84c1e7706dadb46db4f6b83f491a0b5acd83fd669177d537032a909a
Opcode Fuzzy Hash: 5974e859057a934ac2e84da0e3abebde45f6dcb029ad41c2b9ae45ae016a50a4
Instruction Fuzzy Hash: 14116732608AC1C2EF149F28E45476FA6A1BF80768F518179EB8A87AC6CFBDC105C700

Function 00007FF68C94D300 Relevance: 2.6, APIs: 2, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C94D5E0: HeapFree.KERNEL32 ref: 00007FF68C94D9F7
Part of subcall function 00007FF68C94D5E0: GetSystemInfo.KERNEL32 ref: 00007FF68C94DA27

HeapFree.KERNEL32 ref: 00007FF68C94D46C
HeapFree.KERNEL32 ref: 00007FF68C94D47D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$InfoSystem
String ID:
API String ID: 738346042-0
Opcode ID: faa133be13beb5e4f603384a94e569edd5f59e1a28feb3bf11e84fc1aab4983a
Instruction ID: 77b0cd726a25b3fe8b986ec83115325e43e526abc0879a75e62df850121fe712
Opcode Fuzzy Hash: faa133be13beb5e4f603384a94e569edd5f59e1a28feb3bf11e84fc1aab4983a
Instruction Fuzzy Hash: 68318E37A18A81C0EA60CB01E44477967A5FF85B94F4481BAEA5D87796DF3CE086C700

Function 00007FF68C94D1E0 Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C94D2AD
HeapFree.KERNEL32 ref: 00007FF68C94D2BE

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4e979a9ec8997614d8d457e9aaf91d8b06a7f9304aa9e54bad75fc4831ca2564
Instruction ID: c11f468b4776fe621a4ebd6ea1368fd61ea6110b70d0447c351ab31f99c959c5
Opcode Fuzzy Hash: 4e979a9ec8997614d8d457e9aaf91d8b06a7f9304aa9e54bad75fc4831ca2564
Instruction Fuzzy Hash: DD31C227A08AC2C1EE20CB41E44477D63A5FF99B94F4441B9EA5D83BA5DF3CE582C700

Function 00007FF68C9502E0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95037D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AddressWake
String ID:
API String ID: 98804233-0
Opcode ID: d899170c63f555119f42af66820b7c3946f4b4e83656a1d48d9bc3c5a5a8fc52
Instruction ID: c66c0e7034d1c9143a90ae4c95a2e7cfbfaf44d43024b0fe13e8663f423b5633
Opcode Fuzzy Hash: d899170c63f555119f42af66820b7c3946f4b4e83656a1d48d9bc3c5a5a8fc52
Instruction Fuzzy Hash: 34F08973709542CBEF26CB24A45126D67D0EBC479DF048174DB8A8BA95DF3CD582CB40

Function 00007FF68C95034D Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95037D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AddressWake
String ID:
API String ID: 98804233-0
Opcode ID: 1fb3fc45eed4718661be2a7fcf0e2a82144b87f037791bc8693358aea4843251
Instruction ID: ef6331e6af52861bc5b007d554dd1cae6d17d4d01bdd7e0f5a725e6bfd8aa99a
Opcode Fuzzy Hash: 1fb3fc45eed4718661be2a7fcf0e2a82144b87f037791bc8693358aea4843251
Instruction Fuzzy Hash: 93E0DF3760C241CBEE369A24B05012C6B50FF887E9F0801B5DB8946EE6DE3CD282CF00

Function 00007FF68C9618D0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH ref: 00007FF68C961B72

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: CollectDataQuery
String ID:
API String ID: 777096026-0
Opcode ID: 3888c7d31c858ab674ec561122fe36d2925056e640258f185d6836656624c505
Instruction ID: ea716d50f239859e228fef7db4da8ae307100cdac467e48a1527b10114c04ae5
Opcode Fuzzy Hash: 3888c7d31c858ab674ec561122fe36d2925056e640258f185d6836656624c505
Instruction Fuzzy Hash: 1AE09A00A05DC5E4EA64AB76ED0AFEA2228BF94748F004175FE0D873A3EE39940AC340

Function 00007FF68C9678D0 Relevance: 1.3, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

wcslen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C96797F

Part of subcall function 00007FF68C9519C0: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00007FF68C953011), ref: 00007FF68C951B84

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpywcslen
String ID:
API String ID: 982415701-0
Opcode ID: 1ae50bb9ed8a438ffa5a99cdb1b9607cd7617f54f30c76c214c759625ad131c2
Instruction ID: 3cc240da99f90efd6a51c945248e04447e0ccc7830b1ddccbaae9c85ac86b581
Opcode Fuzzy Hash: 1ae50bb9ed8a438ffa5a99cdb1b9607cd7617f54f30c76c214c759625ad131c2
Instruction Fuzzy Hash: C521C023918B81C1EA219B15B40076AA7A0FB897E8F444229EFDE16BD6DF3CE185C700

Non-executed Functions

Function 00007FF68C956935 Relevance: 94.2, APIs: 47, Strings: 6, Instructions: 1492COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF68C956C3C

Strings

=, xrefs: 00007FF68C956CE0
.exeprogram not found, xrefs: 00007FF68C957AEB
k(, xrefs: 00007FF68C958C99
U6, xrefs: 00007FF68C95A3D6
exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded, xrefs: 00007FF68C956B73
p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: EnvironmentStrings
String ID: .exeprogram not found$=$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded$p$U6$k(
API String ID: 2794021878-843690317
Opcode ID: 3d2e6a210b14a1226cea82b08d139b7c0f5f2cefccd7e22ba788b320230c443c
Instruction ID: 515e75b3e320e8b20d9bf493ba63918d1ede9dfb3f246b2bdb95f9011ae0ac0e
Opcode Fuzzy Hash: 3d2e6a210b14a1226cea82b08d139b7c0f5f2cefccd7e22ba788b320230c443c
Instruction Fuzzy Hash: B6E28F22A0DAC1C1EE718B15E4443FAA7A4FF94B95F04417ADA9D97B9ADF3CE181C700

Function 00007FF68C92E7AA Relevance: 88.1, APIs: 44, Strings: 5, Instructions: 2318memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C92E7EE
HeapFree.KERNEL32 ref: 00007FF68C92E817
HeapFree.KERNEL32 ref: 00007FF68C92E8D2
HeapFree.KERNEL32 ref: 00007FF68C92E8E3

Strings

&, xrefs: 00007FF68C9319F6
!, xrefs: 00007FF68C92E988
?, xrefs: 00007FF68C93032C
I, xrefs: 00007FF68C9301D8
I, xrefs: 00007FF68C9301EC

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID: !$&$?$I$I
API String ID: 3298025750-3010272391
Opcode ID: efe3db7b1da18e428d0f8f852c299f49e73bc39fef0bd76448cf821915963c77
Instruction ID: 9eb4404c89831596e2243de106af50116e6e4d1c82dca735745a609c2d53d50a
Opcode Fuzzy Hash: efe3db7b1da18e428d0f8f852c299f49e73bc39fef0bd76448cf821915963c77
Instruction Fuzzy Hash: A4436032608BC1C5EB218B15E4943AABBA4FB89780F54917ADBCD47BA6DF3DD051CB40

Function 00007FF68C958BB3 Relevance: 65.5, APIs: 36, Strings: 1, Instructions: 735memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95955D
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C959594
HeapFree.KERNEL32 ref: 00007FF68C9595BB
HeapFree.KERNEL32 ref: 00007FF68C959714

Strings

p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID: p
API String ID: 1887603139-2181537457
Opcode ID: 581fd53c185e0ee6a638237b706a833573dbeee2d9c0a818cfa8639bd9e5c6b0
Instruction ID: d8db884f0e7df67e9a1baa7f761f359cf80d99209dd3bb57ddb26b56b02fdd99
Opcode Fuzzy Hash: 581fd53c185e0ee6a638237b706a833573dbeee2d9c0a818cfa8639bd9e5c6b0
Instruction Fuzzy Hash: ED729D22A0CAC2C0EA719B11E4447FAA7A0FF94785F448179DE8D87B9ADF3CD496C740

Function 00007FF68C959B86 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 398memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C95D3E0: HeapFree.KERNEL32 ref: 00007FF68C95D486
Part of subcall function 00007FF68C95D3E0: HeapFree.KERNEL32 ref: 00007FF68C95D497

HeapFree.KERNEL32 ref: 00007FF68C959BCA
HeapFree.KERNEL32 ref: 00007FF68C959C03
SetLastError.KERNEL32 ref: 00007FF68C959D66
GetWindowsDirectoryW.KERNEL32 ref: 00007FF68C959D71
GetLastError.KERNEL32 ref: 00007FF68C959D7D
GetLastError.KERNEL32 ref: 00007FF68C959DA3

Strings

-8, xrefs: 00007FF68C959BAE
PATH, xrefs: 00007FF68C959F9A
p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$ErrorLast$DirectoryWindows
String ID: PATH$p$-8
API String ID: 4021950356-2727323446
Opcode ID: a2b623c318b87364fe19e5c5aa4211406781934ea1a11a5e36647202f4574ee9
Instruction ID: 0eef00be3a43271024544285cc621b92e241893f609db092154f0d3fc908d280
Opcode Fuzzy Hash: a2b623c318b87364fe19e5c5aa4211406781934ea1a11a5e36647202f4574ee9
Instruction Fuzzy Hash: 0D02BC22A0CAC6C0FA709B15E4043FAA3A1FF85785F458179DA9D97A96DF3DE482C740

Function 00007FF68C9339F0 Relevance: 39.8, APIs: 24, Strings: 2, Instructions: 850COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000002,?,00000000,00000000,?,?,00000000), ref: 00007FF68C933D17
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000002,?,00000000,00000000,?,?,00000000), ref: 00007FF68C933D50

Strings

x, xrefs: 00007FF68C9351EB
@, xrefs: 00007FF68C93506F

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset
String ID: @$x
API String ID: 2221118986-552422522
Opcode ID: ba2d3648dfcd267d3b6a73823509147b295b9fa092e621591b3edf763e9e4dff
Instruction ID: 3b182418d6e3aa81ef1eeaa251a30faeb06fbfccb91134ef0218d3ad69be053c
Opcode Fuzzy Hash: ba2d3648dfcd267d3b6a73823509147b295b9fa092e621591b3edf763e9e4dff
Instruction Fuzzy Hash: 8E827D72A1DAC1C6EB318B25F4443EAA7A0FB89784F445129DB8D97B9ADF3CD145CB00

Function 00007FF68C95B772 Relevance: 36.9, APIs: 24, Instructions: 898memoryCOMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF68C95B7E1
HeapFree.KERNEL32 ref: 00007FF68C95B84A
HeapFree.KERNEL32 ref: 00007FF68C95B862

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CompareOrdinalString
String ID:
API String ID: 3984308579-0
Opcode ID: 878b17003ff03361027c9621e25a04b426e0e4c63dc0a96aa39596ea124ebec7
Instruction ID: dd870cd5aa6833a51efe9e9423490cfada164efa6227bee942ee5db566bce40b
Opcode Fuzzy Hash: 878b17003ff03361027c9621e25a04b426e0e4c63dc0a96aa39596ea124ebec7
Instruction Fuzzy Hash: D8B2A422908BC4C1E6628F18E1057EAB3B8FF98794F459325DF9C53666EF35E295C700

Function 00007FF68C958761 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 241memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C9587E7
SetLastError.KERNEL32 ref: 00007FF68C9588A8
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C9588B3
GetLastError.KERNEL32 ref: 00007FF68C9588BE
GetLastError.KERNEL32 ref: 00007FF68C9588D6

Strings

p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectoryFreeHeapSystem
String ID: p
API String ID: 696374338-2181537457
Opcode ID: d3b54accb912a9656846ffa433bab8aed066cc164c7d152435b7a7b4ecf80d48
Instruction ID: 298e49f701474da594257f846e1cb7ba5f49368f05a180bd57745c39bde8b44b
Opcode Fuzzy Hash: d3b54accb912a9656846ffa433bab8aed066cc164c7d152435b7a7b4ecf80d48
Instruction Fuzzy Hash: 99C17C22A0CAC5C0FA719B15E4457FAA3A4FF85794F048179DE9C97A9ADF3CE482C740

Function 00007FF68C958479 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 223memoryprocessCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C9599E0
SetLastError.KERNEL32 ref: 00007FF68C959AA6
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C959AB1
GetLastError.KERNEL32 ref: 00007FF68C959ABC
GetLastError.KERNEL32 ref: 00007FF68C959AD5
CreateProcessW.KERNEL32 ref: 00007FF68C95B1DE
CloseHandle.KERNEL32 ref: 00007FF68C95B24B
CloseHandle.KERNEL32 ref: 00007FF68C95B253
CloseHandle.KERNEL32 ref: 00007FF68C95B25B
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95B273
HeapFree.KERNEL32 ref: 00007FF68C95B299
HeapFree.KERNEL32 ref: 00007FF68C95B2B4
HeapFree.KERNEL32 ref: 00007FF68C95B2D5
HeapFree.KERNEL32 ref: 00007FF68C95B2EB
HeapFree.KERNEL32 ref: 00007FF68C95B308
CloseHandle.KERNEL32 ref: 00007FF68C95B31E
CloseHandle.KERNEL32 ref: 00007FF68C95B401
CloseHandle.KERNEL32 ref: 00007FF68C95B411
CloseHandle.KERNEL32 ref: 00007FF68C95B41E
CloseHandle.KERNEL32 ref: 00007FF68C95B43B
CloseHandle.KERNEL32 ref: 00007FF68C95B453
CloseHandle.KERNEL32 ref: 00007FF68C95B46B
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95B483
HeapFree.KERNEL32 ref: 00007FF68C95B4A4
HeapFree.KERNEL32 ref: 00007FF68C95B4BA
HeapFree.KERNEL32 ref: 00007FF68C95B4DB
HeapFree.KERNEL32 ref: 00007FF68C95B4F1
HeapFree.KERNEL32 ref: 00007FF68C95B51A

Strings

!:, xrefs: 00007FF68C9599BA
p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseHandle$ErrorLast$AddressSingleWake$CreateDirectoryProcessSystem
String ID: p$!:
API String ID: 1207286729-2243553189
Opcode ID: 9a8bf098ffbfb7cc0e5088184c98e94c3d06fcbdf008a486b7503fbd6c7a63dd
Instruction ID: 6eb743ff7bd78b1203502164ef7cd1e59ddd17df6cc2e9a01c9f35d27a4cd7f7
Opcode Fuzzy Hash: 9a8bf098ffbfb7cc0e5088184c98e94c3d06fcbdf008a486b7503fbd6c7a63dd
Instruction Fuzzy Hash: 70B17E22A0CAC1C0FA719B15E4457FAA3A4FF95794F044279DE9C97A9ADF3CE082C740

Function 00007FF68C958404 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95843A
HeapFree.KERNEL32 ref: 00007FF68C95844B
SetLastError.KERNEL32 ref: 00007FF68C959AA6
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C959AB1
GetLastError.KERNEL32 ref: 00007FF68C959ABC
GetLastError.KERNEL32 ref: 00007FF68C959AD5

Strings

p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$FreeHeap$DirectorySystem
String ID: p
API String ID: 2600690918-2181537457
Opcode ID: 66d4b79f129ce5bf88d425e95e1bdbc997e144f524eeec6128481a65899293b5
Instruction ID: bc4811a592165848df37a5dc649e2325e123dadfd7e0d35f7f74296fbe449d57
Opcode Fuzzy Hash: 66d4b79f129ce5bf88d425e95e1bdbc997e144f524eeec6128481a65899293b5
Instruction Fuzzy Hash: ABA17B22A0CAC1C0FA719B15E4457FAA3A4FF85784F048279DE9C97A96DF3DE082C740

Function 00007FF68C95D4F0 Relevance: 30.4, APIs: 20, Instructions: 399COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C95F626
GetFullPathNameW.KERNEL32 ref: 00007FF68C95F637
GetLastError.KERNEL32 ref: 00007FF68C95F642
GetLastError.KERNEL32 ref: 00007FF68C95F65B

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID:
API String ID: 2482867836-0
Opcode ID: a403293eff0aefe955b598b9eee8073c48b3f10cbd13c54b5d3b83566b1836fe
Instruction ID: 931b3a42ad32c0c865a6dbc7f89353edee53a70b05c5340d451602b201bf789a
Opcode Fuzzy Hash: a403293eff0aefe955b598b9eee8073c48b3f10cbd13c54b5d3b83566b1836fe
Instruction Fuzzy Hash: ABF1CE62A08BC6C1EE109B11E40477AA7A4FF84BA5F148679EE9D877DADF7CD481C340

Function 00007FF68C92E849 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1328memoryregistryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C92E87B

Part of subcall function 00007FF68C924830: HeapFree.KERNEL32 ref: 00007FF68C924855
Part of subcall function 00007FF68C924830: HeapFree.KERNEL32 ref: 00007FF68C92488C
Part of subcall function 00007FF68C924830: HeapFree.KERNEL32 ref: 00007FF68C9248A6
Part of subcall function 00007FF68C924830: HeapFree.KERNEL32 ref: 00007FF68C924AAE

Part of subcall function 00007FF68C951910: WaitForSingleObject.KERNEL32 ref: 00007FF68C951973
Part of subcall function 00007FF68C951910: CloseHandle.KERNEL32 ref: 00007FF68C95197D
Part of subcall function 00007FF68C951910: Sleep.KERNEL32 ref: 00007FF68C9519A4

Part of subcall function 00007FF68C933590: memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9336D9

HeapFree.KERNEL32 ref: 00007FF68C92E8D2
HeapFree.KERNEL32 ref: 00007FF68C92E8E3
RegCloseKey.ADVAPI32 ref: 00007FF68C92EA5F
RegCreateKeyExW.ADVAPI32 ref: 00007FF68C93034C
HeapFree.KERNEL32 ref: 00007FF68C93037D
RegCloseKey.ADVAPI32 ref: 00007FF68C9303B1
HeapFree.KERNEL32 ref: 00007FF68C9303CB

Strings

!, xrefs: 00007FF68C92E988
?, xrefs: 00007FF68C93032C
I, xrefs: 00007FF68C9301D8
I, xrefs: 00007FF68C9301EC

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$Close$CreateHandleObjectSingleSleepWaitmemcpy
String ID: !$?$I$I
API String ID: 3810575368-3843625877
Opcode ID: 577e81cdafbd691842ac1d2b764ec65ef7dd0bb54d53b137c32eb0854f402054
Instruction ID: 8d1e9cd9dc0752b5038cfed312dbd45b5ee9b94867445e9ed3ec5608d37cb748
Opcode Fuzzy Hash: 577e81cdafbd691842ac1d2b764ec65ef7dd0bb54d53b137c32eb0854f402054
Instruction Fuzzy Hash: 02E28F32609B80C5EB508B15E4943AABBB4FB89B90F54817AEBCD47BA6DF3DD051C740

Function 00007FF68C924830 Relevance: 20.4, APIs: 16, Instructions: 446memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C924855
HeapFree.KERNEL32 ref: 00007FF68C92488C
HeapFree.KERNEL32 ref: 00007FF68C9248A6
HeapFree.KERNEL32 ref: 00007FF68C924AAE
HeapFree.KERNEL32 ref: 00007FF68C924AD2

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e0ece5aa866dfe8e0159698542e698c759baff41315bac022c1c51d002b0c75f
Instruction ID: 3777fb732a3387118737fc87e3c16dbf0837efde3789adfcd14870e303d53d54
Opcode Fuzzy Hash: e0ece5aa866dfe8e0159698542e698c759baff41315bac022c1c51d002b0c75f
Instruction Fuzzy Hash: 80F1BF22A19AC1C1EE519B1690647F91694FF4EFA0F5842BACE7D973D2DE3CE441C344

Function 00007FF68C9527C0 Relevance: 19.8, APIs: 13, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C952B00: HeapFree.KERNEL32 ref: 00007FF68C952C33

HeapFree.KERNEL32 ref: 00007FF68C95283F
HeapFree.KERNEL32 ref: 00007FF68C952850
SetLastError.KERNEL32 ref: 00007FF68C952916
GetEnvironmentVariableW.KERNEL32 ref: 00007FF68C952927
GetLastError.KERNEL32 ref: 00007FF68C952932
GetLastError.KERNEL32 ref: 00007FF68C95294B
HeapFree.KERNEL32 ref: 00007FF68C9529F6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$ErrorLast$EnvironmentVariable
String ID:
API String ID: 4066227703-0
Opcode ID: 3ec53acc82e4c17f845f0ae04ba4a9cc60344305a98663a19ef7d63b00a741cf
Instruction ID: e48905e5541eb7b84e692f79e350df130a53fbb27744215293c113576b931d26
Opcode Fuzzy Hash: 3ec53acc82e4c17f845f0ae04ba4a9cc60344305a98663a19ef7d63b00a741cf
Instruction Fuzzy Hash: 1DC1AF22A0CAC2C1EE209B56E44437AA3A0FF55795F1881B9EE9D977D6DF7CE081C340

Function 00007FF68C951460 Relevance: 19.7, APIs: 13, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FF68C95149E
InitOnceComplete.KERNEL32 ref: 00007FF68C9514DE
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C951570
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C951581
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9515D0
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9515E1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C951630
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C951641
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C951690
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9516A1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9516DC
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9516ED
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,-00000008,?,00000010,00007FF68C95098D), ref: 00007FF68C95174A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$AllocCompleteFreeHeapInitOnce
String ID:
API String ID: 807793084-0
Opcode ID: 0675609f4caf9f2afd1cda4694cdcc72201c1ee0b91c5a52ba0c9ce1780fe71c
Instruction ID: baf924db37b88e5adb258752a3cbf04646c37ac99ed9441a4aedca64f4cc9b15
Opcode Fuzzy Hash: 0675609f4caf9f2afd1cda4694cdcc72201c1ee0b91c5a52ba0c9ce1780fe71c
Instruction Fuzzy Hash: AD818226F09592C2EE659A2655003B95295BF95B91F0C40BCCE1DD77CAEE3CE882C380

Function 00007FF68C953870 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C953A06
GetFullPathNameW.KERNEL32 ref: 00007FF68C953A19
GetLastError.KERNEL32 ref: 00007FF68C953A25
GetLastError.KERNEL32 ref: 00007FF68C953A3E

Strings

\\?\\\?\UNC\, xrefs: 00007FF68C953AF9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\
API String ID: 2482867836-3975371117
Opcode ID: d84d089e55dddc0e9d4a1ed6300acfe65f7787120397e22b6a30caf0559a1670
Instruction ID: f80b242cd6ee3963ea5373d343f07b7f70c490a129aa1c1b333a73ed6fe6bb05
Opcode Fuzzy Hash: d84d089e55dddc0e9d4a1ed6300acfe65f7787120397e22b6a30caf0559a1670
Instruction Fuzzy Hash: ABE1BFA2E0CAD2C1EE608B15E05877A63A4FF447A5F50457AEA9DC76C6EF7CE481C300

Function 00007FF68C944A30 Relevance: 19.2, APIs: 9, Strings: 3, Instructions: 1172COMMON

Download Yara Rule

Strings

, xrefs: 00007FF68C944AD0
, xrefs: 00007FF68C944AE4
, xrefs: 00007FF68C944BBC

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset
String ID: $ $
API String ID: 2221118986-3665324030
Opcode ID: 86d6bbfb23a73066360884d037bc2645f403e0b14234b1c9f4452dd2a8b017c5
Instruction ID: f358d2f46e874448fb21bd8ec6caf7225e3f19fef14855a9e37295804b608036
Opcode Fuzzy Hash: 86d6bbfb23a73066360884d037bc2645f403e0b14234b1c9f4452dd2a8b017c5
Instruction Fuzzy Hash: B8E2A12250C6C189E7328B28A4157EBBBA0FF96355F085259EBD842B9BDF3DC245CF11

Function 00007FF68C931A93 Relevance: 17.9, APIs: 14, Instructions: 435COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C931AD7

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9c5b801a96a8fb46d58ba27210e5e63a0a19fd3d7b2443bb59b6d6cb927858e4
Instruction ID: 6fdbab8bc8675c3967e41ff2daa5f6e27ef2942e1a9a757d0aad600f4a10d99c
Opcode Fuzzy Hash: 9c5b801a96a8fb46d58ba27210e5e63a0a19fd3d7b2443bb59b6d6cb927858e4
Instruction Fuzzy Hash: 24322B72A2DBC1C1EA618B11E4447AAB3A4FF88784F40517AEACD87B9ADF3CD054D740

Function 00007FF68C948640 Relevance: 16.7, APIs: 11, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C94865C
BCryptGenRandom.BCRYPT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C948691
SystemFunction036.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C9486A9
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C948874
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C948884
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C9488A5
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C9488B6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF68C93291D,?,?), ref: 00007FF68C9488D9
TlsSetValue.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C948933
HeapFree.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C94894F
HeapFree.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF68C948960

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap$CryptFunction036RandomSystem
String ID:
API String ID: 624231926-0
Opcode ID: 48683c90f155eb3ab6b0f480876dc731db24b583f7fd340b0cc4d0d58db42888
Instruction ID: 53632af9aed6f4181c433a8c88898b621f1c7952df377583838f90fac59f06f5
Opcode Fuzzy Hash: 48683c90f155eb3ab6b0f480876dc731db24b583f7fd340b0cc4d0d58db42888
Instruction Fuzzy Hash: 7791A521D1CAC1C1FA665B28A0067F9A3A0BFD4754F059279EB9C83796EF3DA5D2C340

Function 00007FF68C963FB0 Relevance: 15.6, APIs: 6, Strings: 4, Instructions: 575COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00007FF68C964132
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?), ref: 00007FF68C9643A6
CloseHandle.KERNEL32 ref: 00007FF68C96495C

Strings

setybdet, xrefs: 00007FF68C9646C3
modnarod, xrefs: 00007FF68C9643E7
arenegyl, xrefs: 00007FF68C964400
uespemos, xrefs: 00007FF68C9643DA

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: CloseHandlememcpymemset
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 3079659014-66988881
Opcode ID: 9e51cb5e9eab53be9b38e922076bab1050d4355f12cb712b4656db2a253b1688
Instruction ID: ccf131900db17502eb388f196625d18f883c74a60e16dc88b53c20c13f4eb7b3
Opcode Fuzzy Hash: 9e51cb5e9eab53be9b38e922076bab1050d4355f12cb712b4656db2a253b1688
Instruction Fuzzy Hash: D8322553E18FC581EA05CB2895116B96320FB99B98F09A339DFAD566D3EF38E1D1C340

Function 00007FF68C923240 Relevance: 13.2, Strings: 10, Instructions: 707COMMON

Download Yara Rule

Strings

{, xrefs: 00007FF68C93ED04
0123456789abcdef[, xrefs: 00007FF68C93EAC5, 00007FF68C93EC82
\\, xrefs: 00007FF68C93E8EB
\u, xrefs: 00007FF68C93ECFD
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C923299, 00007FF68C9233CB, 00007FF68C9233F7
}, xrefs: 00007FF68C93EB3B
\u, xrefs: 00007FF68C93EB40
{, xrefs: 00007FF68C93EB47
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C923386
}, xrefs: 00007FF68C93ECF8

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000$0123456789abcdef[$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000$\\$\u$\u${${$}$}
API String ID: 0-473666626
Opcode ID: 8b596f3fd2b25c00cfd59654428b73a39b7c730e7381da243b893e0f712c348c
Instruction ID: de618d66d53d7484b2e415faeb8a2119eef4251c544e21d256a0c157692050ea
Opcode Fuzzy Hash: 8b596f3fd2b25c00cfd59654428b73a39b7c730e7381da243b893e0f712c348c
Instruction Fuzzy Hash: 89524A22A2C2D2C6EF748738A014B7D7A90FF55780F4061B9EA8E93AC2CF6ED541D701

Function 00007FF68C93F770 Relevance: 12.8, Strings: 10, Instructions: 333COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF68C93F8AC
+, xrefs: 00007FF68C93F793
NAN, xrefs: 00007FF68C93F8D3
-, xrefs: 00007FF68C93F931
-, xrefs: 00007FF68C93F97A
-, xrefs: 00007FF68C93F99D
-, xrefs: 00007FF68C93F9D9
INFINITY, xrefs: 00007FF68C93F7E1
<, xrefs: 00007FF68C93FA8E
-, xrefs: 00007FF68C93F78E

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: +$-$-$-$-$-$-$<$INFINITY$NAN
API String ID: 0-3578884141
Opcode ID: 4eda23634bc7c016abfc26b19e4b810dbbf8c42afebe1cfb9949150ba9b9d5ee
Instruction ID: c6f4d01e1d111cb4044b8e9d1477dbbfb31ed6e9e4d64715532fb9faedc1d1bc
Opcode Fuzzy Hash: 4eda23634bc7c016abfc26b19e4b810dbbf8c42afebe1cfb9949150ba9b9d5ee
Instruction Fuzzy Hash: 87C12352E0C6C3C1FE218A39949077A56A1BF40794F5861FAED4ED62D3EF3EE981D200

Function 00007FF68C968AB0 Relevance: 11.0, APIs: 3, Strings: 4, Instructions: 538COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,0000000C,00007FF68C967E3E), ref: 00007FF68C968C31
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,0000000C,00007FF68C967E3E), ref: 00007FF68C968E81

Strings

modnarod, xrefs: 00007FF68C968EB0
arenegyl, xrefs: 00007FF68C968EBD
setybdet, xrefs: 00007FF68C968ECF
uespemos, xrefs: 00007FF68C968EA3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpymemset
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 1297977491-66988881
Opcode ID: 095e737c519e80db1e1a180b5f3d5e39476d15b3181db30f1ef949f0194f7770
Instruction ID: 75f9ee288f0b2ef543b8926183432f41b85931ed4db4b16d4d3ea27a7414b32d
Opcode Fuzzy Hash: 095e737c519e80db1e1a180b5f3d5e39476d15b3181db30f1ef949f0194f7770
Instruction Fuzzy Hash: 4C1256A2B14BC582EE048F69A4119BA6761FB85BE0F419335DFAE577C6EE3CC141C340

Function 00007FF68C95E290 Relevance: 9.2, APIs: 6, Instructions: 212threadmemoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95E35A
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF68C95E371
UpdateProcThreadAttribute.KERNEL32 ref: 00007FF68C95E3C9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AttributeProcThread$FreeHeapInitializeListUpdate
String ID:
API String ID: 3691516580-0
Opcode ID: bd69586e2e46eb3e7d5079dc6a9b5f3f56cfd11cb646f10c9d9e9a093e3e6031
Instruction ID: 7fabcb0e8bb8312b0258e70ddec6b21613ef675114e19bdf5199cdabcbcb9860
Opcode Fuzzy Hash: bd69586e2e46eb3e7d5079dc6a9b5f3f56cfd11cb646f10c9d9e9a093e3e6031
Instruction Fuzzy Hash: 55711722B096D1C1EE149F1A94067BA3391BF48BE5F584279EE2E837D6DE3DE041C200

Function 00007FF68C93F130 Relevance: 9.1, Strings: 7, Instructions: 324COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF68C93F156
+, xrefs: 00007FF68C93F15B
-, xrefs: 00007FF68C93F35B
-, xrefs: 00007FF68C93F337
-, xrefs: 00007FF68C93F2D5
NAN, xrefs: 00007FF68C93F282
INFINITY, xrefs: 00007FF68C93F1AE

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: +$-$-$-$-$INFINITY$NAN
API String ID: 0-176520682
Opcode ID: b5cf5c857cb251bae17931494819c86813d3d21859b320fe9b282f69f3c1af6e
Instruction ID: 9f91f2b38951c530a056c9488ed3f88f7fadfefd95a037223694661c83c010bb
Opcode Fuzzy Hash: b5cf5c857cb251bae17931494819c86813d3d21859b320fe9b282f69f3c1af6e
Instruction Fuzzy Hash: 5DC13522E0C5C2C2FF218A35948437A6682BF847D4F5861FAE94DD66D7DF3EE985C204

Function 00007FF68C933960 Relevance: 8.0, APIs: 6, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cb696e7cde7725783437b057aac67969f44b243f56186d7595fe84ee82d1bd
Instruction ID: 8f71cd9247f54e95e4b79f8928bec81f3433771cd09497b5c68d80ad9d4c61b0
Opcode Fuzzy Hash: d1cb696e7cde7725783437b057aac67969f44b243f56186d7595fe84ee82d1bd
Instruction Fuzzy Hash: 10223772609BC1C6EB758B25B4403EABBA5FB88794F44512ADB8D83B99DF3CD145CB00

Function 00007FF68C93D0F0 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C93D4F0
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C93D62C
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C93D68D
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C93D6AC

Strings

+NaNinf00e00123456789abcdef[, xrefs: 00007FF68C93D0FB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset
String ID: +NaNinf00e00123456789abcdef[
API String ID: 2221118986-1013878795
Opcode ID: 9f6c63ea40faf9d7776fb3227d70d5de8e022c5ec24c29459dd6b2d99e63d944
Instruction ID: 93b5fc078051a716196b108cc29dfc83ba4a71cbb87f9eb7c1669cc40bec0167
Opcode Fuzzy Hash: 9f6c63ea40faf9d7776fb3227d70d5de8e022c5ec24c29459dd6b2d99e63d944
Instruction Fuzzy Hash: F1E13363B292D5C3EF298A389464379228ABF84798F459079C95E87BC6DF3CA945C700

Function 00007FF68C933C70 Relevance: 7.9, APIs: 6, Instructions: 365COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0(00000002,?,00000000,00000000,?,?,00000000), ref: 00007FF68C933D17
memset.API-MS-WIN-CRT-STRING-L1-1-0(00000002,?,00000000,00000000,?,?,00000000), ref: 00007FF68C933D50

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 40d707ea82821389a3abfe0a54bc94a80059103a4080be6e317932e1e45081e2
Instruction ID: 9ce88e3aa1cd4c0dc90cb06d8edcc1382ac39e1af6424a207e72f20782413f94
Opcode Fuzzy Hash: 40d707ea82821389a3abfe0a54bc94a80059103a4080be6e317932e1e45081e2
Instruction Fuzzy Hash: 2C021372609BC186EB758B25F4403EABBA5FB89784F44512ADB8D83B99DF3CD145CB00

Function 00007FF68C9392E0 Relevance: 7.8, Strings: 6, Instructions: 324COMMON

Download Yara Rule

Strings

FFFFFFFF, xrefs: 00007FF68C939311
FFFFFFFF, xrefs: 00007FF68C93943D
d, xrefs: 00007FF68C939447
+, xrefs: 00007FF68C939586
-, xrefs: 00007FF68C9395F6
-, xrefs: 00007FF68C93957E

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: +$-$-$FFFFFFFF$FFFFFFFF$d
API String ID: 0-1053537561
Opcode ID: 706d152c5714f094e570a520f8043db7189edd8cc7cfc7cce119ddd89aee227e
Instruction ID: f9f590db3e17cc9559fbd45d08799bcd011e0ef3af8ffa21e0ef5bdf39ba373e
Opcode Fuzzy Hash: 706d152c5714f094e570a520f8043db7189edd8cc7cfc7cce119ddd89aee227e
Instruction Fuzzy Hash: 5AB14A22F085E2C2EE548E3695847B96690BF11BE4F4A6279CE6E477D6EF3CD541C300

Function 00007FF68C9350B0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9350DA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C935171
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9357A8

Strings

x, xrefs: 00007FF68C9351EB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID: x
API String ID: 3510742995-2363233923
Opcode ID: 2ba7719f30cd3b8dda077a363329c35286023c649d9ae4a55b0becc365115029
Instruction ID: 1e26c6732ddc65e83a4f3b178395aeceddff2d668a3082f39c7d48a5f63f3bf3
Opcode Fuzzy Hash: 2ba7719f30cd3b8dda077a363329c35286023c649d9ae4a55b0becc365115029
Instruction Fuzzy Hash: 9602A336619FC584D6B18B19F8803DAB3A4F799794F548226DECC63B19EF78D198CB00

Function 00007FF68C923610 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C92367E, 00007FF68C9237AB, 00007FF68C9237DB, 00007FF68C92385C
}((,]0x0001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900000000000000000000000000000000000000000000000000, xrefs: 00007FF68C923ADA
} }((,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000, xrefs: 00007FF68C923AF1
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C923766, 00007FF68C9239E1

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: }((,]0x0001020304050607080910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989900000000000000000000000000000000000000000000000000$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000$} }((,]0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000
API String ID: 0-989609041
Opcode ID: 8f7a4330d985837b16954c7c8942412312f9f62e90daf5aafe7c9d5e282de8a0
Instruction ID: bc054edfa603e62658432c40e4e7661d567af87864ef04f75833f257b6ee3776
Opcode Fuzzy Hash: 8f7a4330d985837b16954c7c8942412312f9f62e90daf5aafe7c9d5e282de8a0
Instruction Fuzzy Hash: 6BC15672B18695C2EB248B15E010BB87B64FB99B94F805239DAEE57BE1CF3DC245D700

Function 00007FF68C925710 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

uespemos, xrefs: 00007FF68C925715
setybdet, xrefs: 00007FF68C92573C
arenegyl, xrefs: 00007FF68C92572F
modnarod, xrefs: 00007FF68C925722

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: b4d0b01a74f92c1dd7256cf564e30a0a617bb5f67117b0844aa177738c44540a
Instruction ID: 27c8322933769904843feb15b2581eae28c6e8122ef2f94993066102d6ba34ab
Opcode Fuzzy Hash: b4d0b01a74f92c1dd7256cf564e30a0a617bb5f67117b0844aa177738c44540a
Instruction Fuzzy Hash: 7F3125E6B08B8042FE54D7E4787536B9212A7457D0F90E13AEE4D9BF1EDE3DD2428240

Function 00007FF68C963E30 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

arenegyl, xrefs: 00007FF68C963E4E
uespemos, xrefs: 00007FF68C963E34
setybdet, xrefs: 00007FF68C963E5B
modnarod, xrefs: 00007FF68C963E41

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 2245685689969dc26132a4786679ef62b6e8df96e94c5d07d423d7e1e7501f9e
Instruction ID: 790256dd086d36beda63b4b8c01b012486993d897132228f40410405ffca0f86
Opcode Fuzzy Hash: 2245685689969dc26132a4786679ef62b6e8df96e94c5d07d423d7e1e7501f9e
Instruction Fuzzy Hash: 3721E7E6B08B8042FE44D7D4747136B9262A3447C0F90E036EE4D97B1EDF3DD2514640

Function 00007FF68C94C5F0 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C94C64F

Strings

setybdet, xrefs: 00007FF68C94C65D
arenegyl, xrefs: 00007FF68C94C667

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset
String ID: arenegyl$setybdet
API String ID: 2221118986-2199462733
Opcode ID: cdcff81bc8450103981dc810123f6557636ea43d9cbe738f630e8902aa7e6a2b
Instruction ID: 830f0bac6fd0e7ef6de25164ea1bd00d264060a70a9ef3d6561ad26309b2c3ca
Opcode Fuzzy Hash: cdcff81bc8450103981dc810123f6557636ea43d9cbe738f630e8902aa7e6a2b
Instruction Fuzzy Hash: E7514D23B446A1CAF6A4AF75BA507E72A50F318758F885025DF9C87352DF38DAE2C340

Function 00007FF68C9259D0 Relevance: 4.5, APIs: 3, Instructions: 724memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C925B02
memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C925BE9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeapmemcmp
String ID:
API String ID: 2929263700-0
Opcode ID: 75d4ca94a912342500757eb0cacd0f6640c795a4e7728d402fc5a865ed8a3b1c
Instruction ID: 6d9c4af22a17aa9e3b0c4e305a6a24cd5631f5c94f34364a3098308edc37bd51
Opcode Fuzzy Hash: 75d4ca94a912342500757eb0cacd0f6640c795a4e7728d402fc5a865ed8a3b1c
Instruction Fuzzy Hash: BB523922B1C6D1C1FE218B259421BB9A751FF59795F448279EEEE93A82EF3CE541C300

Function 00007FF68C94F340 Relevance: 4.3, APIs: 3, Instructions: 548COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94F856
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94F891

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 9508fe8bffddda92d75bd7629f9fdc783abf528d6a1f0c345942ccd6e9668a97
Instruction ID: 74ad577cf064a5183b87c3418e8cceab9bf90af8be81a890bc60da2b49225362
Opcode Fuzzy Hash: 9508fe8bffddda92d75bd7629f9fdc783abf528d6a1f0c345942ccd6e9668a97
Instruction Fuzzy Hash: 4242AE23D18BD1C2E7608F20E9543BA33A0FB55B8CF15A238DF9A4A6D6DF799195C310

Function 00007FF68C9611E0 Relevance: 4.1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

Strings

HygonGen, xrefs: 00007FF68C9616B3
Authenti, xrefs: 00007FF68C961694
GenuineI, xrefs: 00007FF68C9616F4

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: af8090e0685c6ae0e240fc2a188f8cd7655971698e78a546eacfb7dad60ded05
Instruction ID: 44d76ce60b82f17866bb62e48c3c95ce6993625ce039523e62a0298cf84b2bc4
Opcode Fuzzy Hash: af8090e0685c6ae0e240fc2a188f8cd7655971698e78a546eacfb7dad60ded05
Instruction Fuzzy Hash: 42B148A37389A143FB598A46BD52BB64991B358BC4F18703DEE5B87BC1DC7DCA10D240

Function 00007FF68C95DA30 Relevance: 3.9, APIs: 3, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95DB1C
HeapFree.KERNEL32 ref: 00007FF68C95DC14
HeapFree.KERNEL32 ref: 00007FF68C95DCE3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7bd68b3bfbffb44e3ebe031dd448b54deebb13ba44114b1364ade926e01979ae
Instruction ID: a71ca84720246e0f2b25fc3daca3f71faa67f92bfec65602b7d1994f4953eebe
Opcode Fuzzy Hash: 7bd68b3bfbffb44e3ebe031dd448b54deebb13ba44114b1364ade926e01979ae
Instruction Fuzzy Hash: A871ACA7A09781C1EE558B42E6403B96698FF46FE1F5486BACE1D977C2DE78E1D0C300

Function 00007FF68C9211B9 Relevance: 3.1, APIs: 2, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896da6279d52843613759fa602d04b45b87885fae0688f27167969770fa4b905
Instruction ID: 0e4bab67341ce84564687aa042b4d88482ef4b03388a96ff379d2d4a1cc00df8
Opcode Fuzzy Hash: 896da6279d52843613759fa602d04b45b87885fae0688f27167969770fa4b905
Instruction Fuzzy Hash: C4313835A0AA86C1EB00AF55E9A46B923A1BF58BC4F00407DEA5DC77A7DE3CE851D250

Function 00007FF68C935D10 Relevance: 3.0, APIs: 1, Instructions: 1774COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c994733f000f205a261743c464e086444c9072910b16e37ab1f25a00a1c54555
Instruction ID: 4bb753d19079d98afb1de36115a7da8aca60cd9949b1a119ec7c5e74a1827189
Opcode Fuzzy Hash: c994733f000f205a261743c464e086444c9072910b16e37ab1f25a00a1c54555
Instruction Fuzzy Hash: 8BD2B4A7F45AD083FA60CFE474607D7AB61FB95788F44A026DE8C93B09DE38C6918744

Function 00007FF68C924080 Relevance: 2.9, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C9240AB, 00007FF68C9242E0, 00007FF68C9243F1, 00007FF68C924477
0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000, xrefs: 00007FF68C924230, 00007FF68C9243C0, 00007FF68C924601

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000$0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798990000000000000000000000000000000000000000000000000000000000
API String ID: 0-1429195914
Opcode ID: fd104769d42c57b2532ed534e7d2e49fed76a871e781d223ae9640d92f6e226e
Instruction ID: 99cf65c648d4890b6316b824b4d03a523d889b9f6e4a209cb936c4c5518fc88b
Opcode Fuzzy Hash: fd104769d42c57b2532ed534e7d2e49fed76a871e781d223ae9640d92f6e226e
Instruction Fuzzy Hash: A2026762B086D581EB248B25E010BB96761FFA9794F905239DEEE57BD2CF3DC601D700

Function 00007FF68C9555FF Relevance: 2.9, APIs: 2, Instructions: 373memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C955CE1
HeapFree.KERNEL32 ref: 00007FF68C955CF2

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 51e8ce8bd5b6c8c8c452163f16a45b4a2fab635007e494dab822d6d195244a32
Instruction ID: 31be34b6f362d292e37fe4f7e1e2e48a9fa446d6911091d1530ccd9b512f00df
Opcode Fuzzy Hash: 51e8ce8bd5b6c8c8c452163f16a45b4a2fab635007e494dab822d6d195244a32
Instruction Fuzzy Hash: DEE1C822E0CEC2C1EE718714A5453BAA791FF81795F5441BAE78D82A9BDE3CE485C700

Function 00007FF68C923470 Relevance: 1.9, Strings: 1, Instructions: 635COMMON

Download Yara Rule

Strings

0.ee--+NaNinf00e00123456789abcdef[, xrefs: 00007FF68C940AD4, 00007FF68C940CBF, 00007FF68C940D57, 00007FF68C940F4D, 00007FF68C9410DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: 0.ee--+NaNinf00e00123456789abcdef[
API String ID: 0-2347449866
Opcode ID: a9489ab1a9e23fda4fc2c48208d82a026bb97bd508256d740414ebff05c4198c
Instruction ID: 95ba7725c20f0284e4fad388115d14aad3964b165a2d22356a9ce1c0bb13dacf
Opcode Fuzzy Hash: a9489ab1a9e23fda4fc2c48208d82a026bb97bd508256d740414ebff05c4198c
Instruction Fuzzy Hash: 7752B13291CBC1C1EB718B10F4403AAA6A5FF85384F505279EA9D87BA9EF7DD584CB40

Function 00007FF68C9230FD Relevance: 1.8, Strings: 1, Instructions: 509COMMON

Download Yara Rule

Strings

0.ee--+NaNinf00e00123456789abcdef[, xrefs: 00007FF68C941BBC, 00007FF68C941DA7, 00007FF68C941E3F, 00007FF68C942055, 00007FF68C9421E3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: 0.ee--+NaNinf00e00123456789abcdef[
API String ID: 0-2347449866
Opcode ID: 0f1a64eb6dae038731163b610a0950d03314f11fd062e5b2fb97546c57704837
Instruction ID: 0317cdf4f8ac5e8610d7a3e8eb0f89e2d0a06d89b0419be09fe118028f193efb
Opcode Fuzzy Hash: 0f1a64eb6dae038731163b610a0950d03314f11fd062e5b2fb97546c57704837
Instruction Fuzzy Hash: 0E32C362A1DBC1C1EB708B10F4407AAA7A1FF94394F105239EAAD87B99EF7DD545CB00

Function 00007FF68C93CA00 Relevance: 1.7, Strings: 1, Instructions: 485COMMON

Download Yara Rule

Strings

+NaNinf00e00123456789abcdef[, xrefs: 00007FF68C93CA09

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID: +NaNinf00e00123456789abcdef[
API String ID: 0-1013878795
Opcode ID: 6837581a57a9980670aeceedd9ee8ffbbadc029e4d40c319108c0f95e6d53880
Instruction ID: cffaacf80aa32c16ac468b972663d3fe18324cf971c71c8ede8cb5c31d7d264e
Opcode Fuzzy Hash: 6837581a57a9980670aeceedd9ee8ffbbadc029e4d40c319108c0f95e6d53880
Instruction Fuzzy Hash: FCF14562728AD5C3DF14CF65A40466AAB95FB84BC0F54A13AEE4E83B99CF3CD945C700

Function 00007FF68C931A60 Relevance: 1.6, APIs: 1, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7336feaa95fd2ef51da9c0d4026dbca259ab2a00fc7acd68179c43fa545717a2
Instruction ID: 540be69327b9426bb10a29c3598f9a94048851d32ac09a1054d03244e12c9d5b
Opcode Fuzzy Hash: 7336feaa95fd2ef51da9c0d4026dbca259ab2a00fc7acd68179c43fa545717a2
Instruction Fuzzy Hash: 4C02B032608BD085EBA08B22E4903EEB7A4FB84790F45907ADE9D47BA6DF3CD451D750

Function 00007FF68C928A40 Relevance: 1.4, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C928C73

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 26c8372820b04c8065bb61067e0676e37b4cd3dc4849671adea62fef3de3c050
Instruction ID: 4bc24781b7a725458e326175f90d5803cc418f5542d9088d328f17040327b7be
Opcode Fuzzy Hash: 26c8372820b04c8065bb61067e0676e37b4cd3dc4849671adea62fef3de3c050
Instruction Fuzzy Hash: FF512897F15BC181FE50C76864213BA9310BF997D4F44A33AEEC9A6A46EF3CD146C240

Function 00007FF68C967F10 Relevance: 1.4, APIs: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00007FF68C967E3E), ref: 00007FF68C9680A6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 34dc33e977de95e2aa8dc89f82795e9281cd5dd4c09bf821a8f419b6ea95e991
Instruction ID: 1f71953f03b9328557f51923072c35793f7505e87c16c8d4e0386c559816dc44
Opcode Fuzzy Hash: 34dc33e977de95e2aa8dc89f82795e9281cd5dd4c09bf821a8f419b6ea95e991
Instruction Fuzzy Hash: 28411372B19A81C2FE558B16A504B7826D5BF447E0F058A79DFAE83BD2EE3CE041C344

Function 00007FF68C926AE0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa5c9f037f992481c5d4a898faa3f0562503b33e060e6b0185ab9d085fbddc9
Instruction ID: c7bf4171ae93d7e3f5c5c95db60db3b6dc784b5245322c960649b1c0a708ecce
Opcode Fuzzy Hash: 6aa5c9f037f992481c5d4a898faa3f0562503b33e060e6b0185ab9d085fbddc9
Instruction Fuzzy Hash: CC324996E297E681EA23463A95053B45650BFA37D0E01D33AFDAD71F96DF29E281C300

Function 00007FF68C943480 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0008cb838a1a7d1119a14ba7d8f2eeb85f944b6c727f85d109163e7cbb8f0d0e
Instruction ID: 38d0b1edcc7329eb8f48a6eef0d19ab4cc859e69226b76435a59e737da1bcd3d
Opcode Fuzzy Hash: 0008cb838a1a7d1119a14ba7d8f2eeb85f944b6c727f85d109163e7cbb8f0d0e
Instruction Fuzzy Hash: B3F12862E29FC586EB22473854023BAF714BFEB794F40D326EEE971A82DF1C9141D140

Function 00007FF68C935840 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31be5707e724445f2252c5881b99883c2d0881c28b889c9f2e2d75c82b7ba2b
Instruction ID: 5e1589d1126e8265170e2216aa57ffc0f49dd187af78fc69c57da152fe37c094
Opcode Fuzzy Hash: e31be5707e724445f2252c5881b99883c2d0881c28b889c9f2e2d75c82b7ba2b
Instruction Fuzzy Hash: DEB10866F81BA443DA188F85B85179AA365B3C9BD4F45E026DE4CA7F58ED3CC9038340

Function 00007FF68C951C30 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb443bf15f0c0808131960636e03ef8ccbd760d7c35891fba3a68a0fde93101
Instruction ID: b83f1b2dc42fa54e91f78a1fa6413df2319bd6325b81eac4ab96d489f1b17f68
Opcode Fuzzy Hash: ddb443bf15f0c0808131960636e03ef8ccbd760d7c35891fba3a68a0fde93101
Instruction Fuzzy Hash: DAC16962E0C6D1C4FF628A649400B796A81BF02767F5483B8C97E971D2EFBD5D96D300

Function 00007FF68C949DEE Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5253e93aaebdb80888fead87f16646c4513e5280444b0ca7af1c6c0ef13a77d
Instruction ID: d358b07c73984bbfbc85bd402de2963593e62ca8cfaec3f6987f0339e7cfd5ae
Opcode Fuzzy Hash: a5253e93aaebdb80888fead87f16646c4513e5280444b0ca7af1c6c0ef13a77d
Instruction Fuzzy Hash: D8E15B66E29FC956F313573864032B6E318AFFB6C9F40E31AFDD0B1913EB6482529644

Function 00007FF68C938BF0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2edd579274dd08393264abd86524fcd460068e4d84029b77e39eceb842e0c63
Instruction ID: 451c5376f997476323c44d4d9b9dbe16d91e4b762719cb89964e319367d83ff1
Opcode Fuzzy Hash: a2edd579274dd08393264abd86524fcd460068e4d84029b77e39eceb842e0c63
Instruction Fuzzy Hash: B3A1F712E196D1D2FF564B2484107B82A51BF91B90F4B92BBDE1D87BC2CF3CA955C309

Function 00007FF68C928340 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b0bec211e6195bb120cdd5099edde79d6a45dd3d239ce56b518f5aae1f642a
Instruction ID: 1dd3f8f51ea6d095d3dfca9d7ed4c3cdf117b14dbaab57946e6a9822177f0773
Opcode Fuzzy Hash: e9b0bec211e6195bb120cdd5099edde79d6a45dd3d239ce56b518f5aae1f642a
Instruction Fuzzy Hash: 37414773F146B182FF14CB51A574A382712FB54BD0F42913ADD6AA3F81CE28D896C384

Function 00007FF68C93FC50 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235281eec64871b40e926be524ef9672bcf5aecf8045c25ea4de9a8cfd46bf51
Instruction ID: 8dd05497edb27aa10839df32deee162402610d6c8898227e7d8493d7489102a9
Opcode Fuzzy Hash: 235281eec64871b40e926be524ef9672bcf5aecf8045c25ea4de9a8cfd46bf51
Instruction Fuzzy Hash: 67316B52F55A96C3FE14813989257B501826F857F0E54A3B8DE3ECBBD8EF2D9541C200

Function 00007FF68C9579F9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C957AC2

Strings

.exeprogram not found, xrefs: 00007FF68C957AEB
p, xrefs: 00007FF68C95B0DB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID: .exeprogram not found$p
API String ID: 3510742995-3588222318
Opcode ID: 91bca6fc6900877c90ba94fcfcd7c9d2bbc746bd43a7f388c1ecd0c44c2fb826
Instruction ID: a01f9eb3074b9d6dbf626ca276a7751f380247ced19474f3a0d98e5f24f99ae7
Opcode Fuzzy Hash: 91bca6fc6900877c90ba94fcfcd7c9d2bbc746bd43a7f388c1ecd0c44c2fb826
Instruction Fuzzy Hash: 08A17E22A0DAC1C0EA719B15E4557FAA3A4FF95785F044179DE8C86A9BDF3CE182C700

Function 00007FF68C97B2A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF68C97B375
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68C97B37B
RtlUnwindEx.KERNEL32 ref: 00007FF68C97B491

Strings

CCG , xrefs: 00007FF68C97B30E
CCG!, xrefs: 00007FF68C97B368
CCG", xrefs: 00007FF68C97B302
CCG , xrefs: 00007FF68C97B4F6
CCG!, xrefs: 00007FF68C97B2C9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3297834124
Opcode ID: 85bf20e9dbddc103779356c694087b508f263b141af8ce1d52b975771c3dd7ce
Instruction ID: f90ce1d505333be4a1be881f44ffd00506d230f9bfd61fd18702f3ea2549f274
Opcode Fuzzy Hash: 85bf20e9dbddc103779356c694087b508f263b141af8ce1d52b975771c3dd7ce
Instruction Fuzzy Hash: ED51CF22A1AB80C2EB608F55E4447BD7370FB99B84F50522AEE8D53B59DF38D5C2C700

Function 00007FF68C960680 Relevance: 16.7, APIs: 11, Instructions: 200synchronizationCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C96077E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C960797
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C96082E
CloseHandle.KERNEL32 ref: 00007FF68C96094B
WaitForSingleObject.KERNEL32 ref: 00007FF68C960958
GetLastError.KERNEL32 ref: 00007FF68C960961
GetExitCodeProcess.KERNEL32 ref: 00007FF68C960989
CloseHandle.KERNEL32 ref: 00007FF68C9609A0
CloseHandle.KERNEL32 ref: 00007FF68C9609A8
CloseHandle.KERNEL32 ref: 00007FF68C9609B5
CloseHandle.KERNEL32 ref: 00007FF68C9609C2

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: CloseHandle$memcpy$CodeErrorExitLastObjectProcessSingleWait
String ID:
API String ID: 4095814610-0
Opcode ID: d7bfa7cac7c116067fe547020d47ff1cdee2c613d16024e256421e0818c62604
Instruction ID: d59aeae5f8247edfa2588cc1a8e225cbf11c09ec31e453a702c9982af006f9f7
Opcode Fuzzy Hash: d7bfa7cac7c116067fe547020d47ff1cdee2c613d16024e256421e0818c62604
Instruction Fuzzy Hash: B891B222A08BC1C2EA619B25F405BFAA3A4FF94784F049275EF8D52796DF3CE191C740

Function 00007FF68C95B02E Relevance: 15.1, APIs: 10, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF68C95B31E
HeapFree.KERNEL32 ref: 00007FF68C95B4BA
HeapFree.KERNEL32 ref: 00007FF68C95B4DB
HeapFree.KERNEL32 ref: 00007FF68C95B4F1
HeapFree.KERNEL32 ref: 00007FF68C95B51A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 12d8711fbcedbc2757be5d5f6e80439acd786e58ab72267057fc44b7b96f8bbe
Instruction ID: 415ed3e2e52c429069fb63a3f2705d6727fc5ea2bff9a2c54b6e7680ea9da875
Opcode Fuzzy Hash: 12d8711fbcedbc2757be5d5f6e80439acd786e58ab72267057fc44b7b96f8bbe
Instruction Fuzzy Hash: 32611932A0CAC2C0EA719F11E4147EAA3A4FF84795F44417ADA8D87A9ACF7CE485C740

Function 00007FF68C961750 Relevance: 15.1, APIs: 10, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000), ref: 00007FF68C961765
TlsGetValue.KERNEL32(?,00000000), ref: 00007FF68C961799
TlsSetValue.KERNEL32(?,00000000), ref: 00007FF68C9617A9
HeapFree.KERNEL32(?,00000000), ref: 00007FF68C9617BF
TlsGetValue.KERNEL32(?,00000000), ref: 00007FF68C9617E3
TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96181E
ProcessPrng.BCRYPTPRIMITIVES(?,?,?,00000000,?,00000000), ref: 00007FF68C96183D
TlsGetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96186A
TlsSetValue.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C96187A
HeapFree.KERNEL32(?,?,?,00000000,?,00000000), ref: 00007FF68C961890

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap$PrngProcess
String ID:
API String ID: 2541186568-0
Opcode ID: 53b8e99d704bf6651451a73ee2f0e1a6acc74449b4a6f87551685e8cc0445ab7
Instruction ID: 661bc0b6ef62b037893d9e304674068e0fb3e0962591815a24830a83b06c6a1d
Opcode Fuzzy Hash: 53b8e99d704bf6651451a73ee2f0e1a6acc74449b4a6f87551685e8cc0445ab7
Instruction Fuzzy Hash: C331C212E1C9D2C1FD552B666401AB952957F88F80F0845BDEA1DC73C7ED2CA882C2C0

Function 00007FF68C963C60 Relevance: 13.9, APIs: 11, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C963C80
HeapFree.KERNEL32 ref: 00007FF68C963CBC
HeapFree.KERNEL32 ref: 00007FF68C963CD6
HeapFree.KERNEL32 ref: 00007FF68C963D86

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dab4d528d52ff534bedb1bed343f7f2cfef11ca4b6873d4725fc569e50c34220
Instruction ID: 452a528b06e63339f0b789c0ad5cf5d3f34a1a58dcf3b7f8111cc473c92f7247
Opcode Fuzzy Hash: dab4d528d52ff534bedb1bed343f7f2cfef11ca4b6873d4725fc569e50c34220
Instruction Fuzzy Hash: FE516E16A09EC6C1FE648B56E440BB95290BF84B94F48457ECB6E867D2DF3CF492D380

Function 00007FF68C9532F0 Relevance: 13.7, APIs: 9, Instructions: 176memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C952B00: HeapFree.KERNEL32 ref: 00007FF68C952C33

CreateFileW.KERNEL32 ref: 00007FF68C953463
GetLastError.KERNEL32 ref: 00007FF68C95348A
SetFileInformationByHandle.KERNEL32 ref: 00007FF68C9534B2
HeapFree.KERNEL32 ref: 00007FF68C9534F5
GetLastError.KERNEL32 ref: 00007FF68C953507
HeapFree.KERNEL32 ref: 00007FF68C95352F
GetLastError.KERNEL32 ref: 00007FF68C95353F
CloseHandle.KERNEL32 ref: 00007FF68C953552
HeapFree.KERNEL32 ref: 00007FF68C95356D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$ErrorLast$FileHandle$CloseCreateInformation
String ID:
API String ID: 910738790-0
Opcode ID: 6f781c2dea5ffee30beb9144e5308161996e975bbd1dd044ae2d85e76f672d0a
Instruction ID: ad0a1e4fae395d871ae27da1574166eb05a7fa0eaad25d75b1ce0340805aaac1
Opcode Fuzzy Hash: 6f781c2dea5ffee30beb9144e5308161996e975bbd1dd044ae2d85e76f672d0a
Instruction Fuzzy Hash: A361AD62A0C2D682FF618A22A1007796B80BF45785F4441B9EE9DC7EC7DF7DE4A5C700

Function 00007FF68C956580 Relevance: 12.2, APIs: 8, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C956220: TlsGetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956239
Part of subcall function 00007FF68C956220: TlsGetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956271
Part of subcall function 00007FF68C956220: TlsSetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956281
Part of subcall function 00007FF68C956220: HeapFree.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C9562AD

HeapFree.KERNEL32 ref: 00007FF68C95672B
HeapFree.KERNEL32 ref: 00007FF68C95673C
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95675F
HeapFree.KERNEL32 ref: 00007FF68C9567BD
HeapFree.KERNEL32 ref: 00007FF68C9567CE
HeapFree.KERNEL32 ref: 00007FF68C95683C
HeapFree.KERNEL32 ref: 00007FF68C95684D
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95685D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$Value$AddressSingleWake
String ID:
API String ID: 406711419-0
Opcode ID: a14425816d90bf8b35b70f114aa7e6150f6e27b0ceeff9ce5b2c51dd6d24f6d9
Instruction ID: 7a54588ba985fa493c5294d7b9906174d1ecc74e1d120d3412b679e01fc734f4
Opcode Fuzzy Hash: a14425816d90bf8b35b70f114aa7e6150f6e27b0ceeff9ce5b2c51dd6d24f6d9
Instruction Fuzzy Hash: 14916622A1DA82C0EE61DB11A45477963A0BF95B95F5888BEEE5DC73D2DF3CE442C340

Function 00007FF68C950810 Relevance: 11.4, APIs: 9, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95082C
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95087C
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95088C
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9508A2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9508C2
TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C9508F9
TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950931
TlsSetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950941
HeapFree.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C95096D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 7a91e8425537da9f6cdf666d2ee2030b644c3801640f78c588b15dd3424535cd
Instruction ID: c8cd4b14e7f8d85101b1eb7e81d210e4dc9d45d9152aee5836303e9aa5bec161
Opcode Fuzzy Hash: 7a91e8425537da9f6cdf666d2ee2030b644c3801640f78c588b15dd3424535cd
Instruction Fuzzy Hash: 8741BD22E0DAD2C1FE652B26A510B7952947F89B91F0C50FDDA5DC77C7DE7CA841C280

Function 00007FF68C959C3A Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C959C4B
HeapFree.KERNEL32 ref: 00007FF68C959C9D
HeapFree.KERNEL32 ref: 00007FF68C959CAE
SetLastError.KERNEL32 ref: 00007FF68C959D66
GetWindowsDirectoryW.KERNEL32 ref: 00007FF68C959D71
GetLastError.KERNEL32 ref: 00007FF68C959D7D
GetLastError.KERNEL32 ref: 00007FF68C959DA3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorFreeHeapLast$DirectoryWindows
String ID:
API String ID: 3038101868-0
Opcode ID: 8f3967d82c1e7d039006414896063e670faa859c6d133682fe786fae5e8a46de
Instruction ID: cfb92c321c0c0d80808dfe4f09809e80240f515651499e0d8c37cc228d2f3574
Opcode Fuzzy Hash: 8f3967d82c1e7d039006414896063e670faa859c6d133682fe786fae5e8a46de
Instruction Fuzzy Hash: FA31AB22B0CAC680FE209A66D5083BA6295BF45B91F554179DA6DD7BC2DF7CE042C340

Function 00007FF68C94C970 Relevance: 10.2, APIs: 8, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C94C9D2
HeapFree.KERNEL32 ref: 00007FF68C94C9F5
HeapFree.KERNEL32 ref: 00007FF68C94CA25

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1cadcfc04fc0b00f7294f8aa3fade6e97f7d2483505162fb7989819c58a3d154
Instruction ID: fdd893bae24d4b8ffc3ff8d378971fbb2bda43dc03a82532be712f3c88333c3b
Opcode Fuzzy Hash: 1cadcfc04fc0b00f7294f8aa3fade6e97f7d2483505162fb7989819c58a3d154
Instruction Fuzzy Hash: EB615C22B09AC6C4EE25CB129544BB82391BF49BE8F49457ACE3D877D6DF38E491C340

Function 00007FF68C94FF70 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C9508E0: TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C9508F9
Part of subcall function 00007FF68C9508E0: TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950931
Part of subcall function 00007FF68C9508E0: TlsSetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950941
Part of subcall function 00007FF68C9508E0: HeapFree.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C95096D

HeapFree.KERNEL32 ref: 00007FF68C9500C4
HeapFree.KERNEL32 ref: 00007FF68C9500D5
HeapFree.KERNEL32 ref: 00007FF68C950145
HeapFree.KERNEL32 ref: 00007FF68C950156

Strings

main, xrefs: 00007FF68C94FFE5
<unknown>PATH, xrefs: 00007FF68C94FFF3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$Value
String ID: <unknown>PATH$main
API String ID: 3456309649-1581385649
Opcode ID: 792cab6459d9c0d20925b8ca77dfed35d9e0065f578f8cdaaf6ab09fe7b03964
Instruction ID: 4572746c7ccf281126f10feaf86a2efe8b70985434367b2e91f602dc1a24cab4
Opcode Fuzzy Hash: 792cab6459d9c0d20925b8ca77dfed35d9e0065f578f8cdaaf6ab09fe7b03964
Instruction Fuzzy Hash: 91515A22A09A82C1EE60CB15F444379A3A4FF85B95F4450BAEA9DC77A6DF3CE551C340

Function 00007FF68C952ED0 Relevance: 9.1, APIs: 6, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C952F73
GetModuleFileNameW.KERNEL32 ref: 00007FF68C952F80
GetLastError.KERNEL32 ref: 00007FF68C952F8B
GetLastError.KERNEL32 ref: 00007FF68C952FA0
HeapFree.KERNEL32 ref: 00007FF68C953027
GetLastError.KERNEL32 ref: 00007FF68C953041

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$FileFreeHeapModuleName
String ID:
API String ID: 2130810879-0
Opcode ID: b1acf2bbf4d34673459571eedac742362e16ac1c1458ae57f6b46f7c0216beaa
Instruction ID: e772ae16e5f50b3ec74776bed02115b8e69e0a350c3119f489ae937162e33591
Opcode Fuzzy Hash: b1acf2bbf4d34673459571eedac742362e16ac1c1458ae57f6b46f7c0216beaa
Instruction Fuzzy Hash: D5410422A1CBC6C0FE208A22B804B7A6690BF447A5F54027CEE6DC76C7CE7DD180C740

Function 00007FF68C95CDF0 Relevance: 9.0, APIs: 7, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95CDFE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95CFBE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D028
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D060
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D0A6
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D0CC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D1E9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 55b54bfb86a12a0241974352b423482a55883790906131e1acac40a12f55475b
Instruction ID: 30aa4e8f69f175d8a6011da9f5f16040d0f01b3b171d9934fe1e35ddcebdba3f
Opcode Fuzzy Hash: 55b54bfb86a12a0241974352b423482a55883790906131e1acac40a12f55475b
Instruction Fuzzy Hash: 2DD17D22618BC082DB16CF28E4403FA73A5FF98B94F549226DF9957769DF79E291C300

Function 00007FF68C956220 Relevance: 8.8, APIs: 7, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956239
TlsGetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956271
TlsSetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956281
HeapFree.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C9562AD

Part of subcall function 00007FF68C94CBC0: HeapFree.KERNEL32(?,?,00000001,00007FF68C95631E,?,?,?,?,?,00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C94CBDC

TlsGetValue.KERNEL32(00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C9562D1
TlsSetValue.KERNEL32(?,?,?,?,?,00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C956303
HeapFree.KERNEL32(?,?,?,?,?,00000000,00000000,00000001,00007FF68C9565A0), ref: 00007FF68C95632A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 0cf19cf232c03d6f849de63c95224587dc43345695acae4c472907aae5a60070
Instruction ID: 0527059d4472cd8b15d9d21fcf362aa50c5cfdeea3ce9459fb72234003ff37f6
Opcode Fuzzy Hash: 0cf19cf232c03d6f849de63c95224587dc43345695acae4c472907aae5a60070
Instruction Fuzzy Hash: AA31AC22F0D9D2C1FE256B2695117BD1291BF89B91F0844BDCA1DD73D7DE6CA892C380

Function 00007FF68C9303F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82memoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C928260: HeapFree.KERNEL32 ref: 00007FF68C928302
Part of subcall function 00007FF68C928260: HeapFree.KERNEL32 ref: 00007FF68C928315

RegCreateKeyExW.ADVAPI32 ref: 00007FF68C93034C
HeapFree.KERNEL32 ref: 00007FF68C93037D
RegCloseKey.ADVAPI32 ref: 00007FF68C9303B1
HeapFree.KERNEL32 ref: 00007FF68C9303CB
RegCloseKey.ADVAPI32 ref: 00007FF68C930447
HeapFree.KERNEL32 ref: 00007FF68C93045D
HeapFree.KERNEL32 ref: 00007FF68C93047E
HeapFree.KERNEL32 ref: 00007FF68C9304C6
HeapFree.KERNEL32 ref: 00007FF68C9304D7
HeapFree.KERNEL32 ref: 00007FF68C930506

Strings

?, xrefs: 00007FF68C93032C

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$Close$Create
String ID: ?
API String ID: 3832569539-1684325040
Opcode ID: abe1b56737e018da4e46bad23ec6a8407202cebab7e49d1ffbae50ec55ea28e4
Instruction ID: e086e6780fca92b4d15d192cee5b504bf31872f9e057d033224d62dcab78cb52
Opcode Fuzzy Hash: abe1b56737e018da4e46bad23ec6a8407202cebab7e49d1ffbae50ec55ea28e4
Instruction Fuzzy Hash: 09411732609BC1C5EB309B51F4943AAB3A4FF88784F501179DA8C86B9AEF7CD155CB44

Function 00007FF68C94BFA0 Relevance: 7.8, APIs: 6, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,00000000,00000000,00007FF68C94B529), ref: 00007FF68C94C1EA
HeapFree.KERNEL32 ref: 00007FF68C94C3A6
HeapFree.KERNEL32 ref: 00007FF68C94C3BA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94C46E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94C484
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94C4CB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: 84764352876102455a3b2aa23fe2f3af7d4ce00cb73b0e0aa1858fbe032be188
Instruction ID: 44dc96a086d1b71093a2495ed46f6abc1b4b26724f737f8b8befca6c88884f23
Opcode Fuzzy Hash: 84764352876102455a3b2aa23fe2f3af7d4ce00cb73b0e0aa1858fbe032be188
Instruction Fuzzy Hash: 92F1AD22A19AC1C1EE60CB14E4047B967A0FF58BA8F059379DABD877D6DF38E191C340

Function 00007FF68C942690 Relevance: 7.7, APIs: 6, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942779
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C94278C
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C9427D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 815b6481848aac9d6395472ca5d520f3f45efa49456bacff0ec74a9b8bc44a25
Instruction ID: 610a5765acbca5df6dbaf13026d78d852c27daabb7d5983ad4b9707956a8932a
Opcode Fuzzy Hash: 815b6481848aac9d6395472ca5d520f3f45efa49456bacff0ec74a9b8bc44a25
Instruction Fuzzy Hash: 34A19F22A09AC1C1EA609B15E4003F9A3A0FF597A8F149379DEBD867D6DF3CE185C740

Function 00007FF68C9503B0 Relevance: 7.7, APIs: 5, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C95071A
HeapFree.KERNEL32 ref: 00007FF68C950777
HeapFree.KERNEL32 ref: 00007FF68C950788

Part of subcall function 00007FF68C950810: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95082C
Part of subcall function 00007FF68C950810: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95087C
Part of subcall function 00007FF68C950810: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C95088C
Part of subcall function 00007FF68C950810: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C9508A2

Part of subcall function 00007FF68C9508E0: TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C9508F9
Part of subcall function 00007FF68C9508E0: TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950931
Part of subcall function 00007FF68C9508E0: TlsSetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950941
Part of subcall function 00007FF68C9508E0: HeapFree.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C95096D

Part of subcall function 00007FF68C94FE90: HeapFree.KERNEL32(?,?,00000001,00007FF68C95173E,?,?,?,?,?), ref: 00007FF68C94FEB6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap$AddressSingleWake
String ID:
API String ID: 2155206942-0
Opcode ID: 58eaf7c0866332e462f632632dfac8d6449c26b0b08e90e07aef5a2668aa7239
Instruction ID: 34acb4d859e8ac1bcb6b007b709a0106361ca3438eaf1711d36a16a1754cc355
Opcode Fuzzy Hash: 58eaf7c0866332e462f632632dfac8d6449c26b0b08e90e07aef5a2668aa7239
Instruction Fuzzy Hash: 9F91BA21E0D682C4FE618B61B9443782690BF65B95F481AFEE91CC72E2DF3CA486D300

Function 00007FF68C95FB10 Relevance: 7.7, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FB8C
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FBAA
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FBE3
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FC00
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FD61
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95FD81

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d5db16d91affda2f84a152caf751f07f8368cedc113330026889aa15eaa87eea
Instruction ID: e2068af570000e4ecbeffe48641d44c78d3fbea5201b5577c9bc597a51e84981
Opcode Fuzzy Hash: d5db16d91affda2f84a152caf751f07f8368cedc113330026889aa15eaa87eea
Instruction Fuzzy Hash: E391D722A15BC4C2EA559F18F4017FAA368FF54798F545326DF8D13266EF39E196C300

Function 00007FF68C95CF2C Relevance: 7.7, APIs: 6, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95CDFE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95CFBE
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D028
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D060
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D0A6
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D0CC
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95D1E9

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: a0caff6dd93ee5d7dd380fdfb93ab33e69047ed97e2fd5ff91c07ec619dc2965
Instruction ID: 8242a0e2d6722e5b591cffab5a28d20329268a1e1253cd0b7d61d7ef9288b346
Opcode Fuzzy Hash: a0caff6dd93ee5d7dd380fdfb93ab33e69047ed97e2fd5ff91c07ec619dc2965
Instruction Fuzzy Hash: 11917C22605BC082DB15CF28E4443E97764FF98B88F589336DB9957769EF75E282C300

Function 00007FF68C954F42 Relevance: 7.7, APIs: 6, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C954FEE
HeapFree.KERNEL32 ref: 00007FF68C954FFF
HeapFree.KERNEL32 ref: 00007FF68C9550BF
HeapFree.KERNEL32 ref: 00007FF68C9550D3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b283ebb46fc539135ded7bf984fae4520afc19b3de7bb98c244c57499e960ffa
Instruction ID: a541bd82fa6b6440cbe25e3637e7575dff7a2e39515eb6890006811cec0da7a5
Opcode Fuzzy Hash: b283ebb46fc539135ded7bf984fae4520afc19b3de7bb98c244c57499e960ffa
Instruction Fuzzy Hash: 26515B22A0DA86C1EE64DA16A50437D5791BF89BC5F1884B9EE1E87797DE3CE142C340

Function 00007FF68C94D39D Relevance: 7.6, APIs: 6, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C94D46C
HeapFree.KERNEL32 ref: 00007FF68C94D47D

Part of subcall function 00007FF68C94D5E0: HeapFree.KERNEL32 ref: 00007FF68C94D9F7
Part of subcall function 00007FF68C94D5E0: GetSystemInfo.KERNEL32 ref: 00007FF68C94DA27

HeapFree.KERNEL32 ref: 00007FF68C94D54D
HeapFree.KERNEL32 ref: 00007FF68C94D55E
HeapFree.KERNEL32 ref: 00007FF68C94D5BD
HeapFree.KERNEL32 ref: 00007FF68C94D5CE

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$InfoSystem
String ID:
API String ID: 738346042-0
Opcode ID: eb3f5b1d3b5f82bb69807adc4302becdbf9f55ab7de732d39ccc6c47cfe18b98
Instruction ID: e40ea082e50953fb91ff2cafd420234fb07acd8e5d86f86a117f2dcdf8e11553
Opcode Fuzzy Hash: eb3f5b1d3b5f82bb69807adc4302becdbf9f55ab7de732d39ccc6c47cfe18b98
Instruction Fuzzy Hash: 5F511C27A18A82C0EE64DB05E54877D63A5FF85B84F4840B9DA6D876D6DF7CE481C340

Function 00007FF68C94BD80 Relevance: 7.6, APIs: 6, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF68C94BD9E
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C94BE75
TlsGetValue.KERNEL32 ref: 00007FF68C94BEF5
TlsSetValue.KERNEL32 ref: 00007FF68C94BF05
HeapFree.KERNEL32 ref: 00007FF68C94BF3D
TlsGetValue.KERNEL32 ref: 00007FF68C94BF66

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeapmemcpy
String ID:
API String ID: 834479853-0
Opcode ID: a5821416040ee07c2aee2775c04b113f283301bd7503e62b4d74c7fb4b75c0b4
Instruction ID: dcbb08a1d3f9d9061a8f67daa468fe84dd54a5e3b547599a72407f3e7d30dc94
Opcode Fuzzy Hash: a5821416040ee07c2aee2775c04b113f283301bd7503e62b4d74c7fb4b75c0b4
Instruction Fuzzy Hash: 7F51B522E19ED2C1FA209B2595047B963A4FF58758F0596BDDAAC873D3DF3CA091C780

Function 00007FF68C958782 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C9587E7
SetLastError.KERNEL32 ref: 00007FF68C9588A8
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C9588B3
GetLastError.KERNEL32 ref: 00007FF68C9588BE
GetLastError.KERNEL32 ref: 00007FF68C9588D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectoryFreeHeapSystem
String ID:
API String ID: 696374338-0
Opcode ID: 6f1e48ae02e7c56fd37775aedc06950689497fdc8ef0be3575ca0c0c837f756f
Instruction ID: 23f9fc6ff323aa192204f3688e1f1d32adb72e53184d88a990b4c3172a51e2f0
Opcode Fuzzy Hash: 6f1e48ae02e7c56fd37775aedc06950689497fdc8ef0be3575ca0c0c837f756f
Instruction Fuzzy Hash: AF318116A486D2C1FB345A61845937A6280BF00B65F15427DEA7ED7ACACF7CE841C344

Function 00007FF68C95A2EF Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95A305
HeapFree.KERNEL32 ref: 00007FF68C95A41B
HeapFree.KERNEL32 ref: 00007FF68C95A434
HeapFree.KERNEL32 ref: 00007FF68C95A454

Strings

U6, xrefs: 00007FF68C95A3D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID: U6
API String ID: 3298025750-3964119060
Opcode ID: 8d2fa64b969eaa990475b96f5440ef1618286f35dfd0f6c07492a1405a308adf
Instruction ID: e931272d23b5eae14f508e13256bbdea3d963f3e4a23930ce1552b8e2ff5f071
Opcode Fuzzy Hash: 8d2fa64b969eaa990475b96f5440ef1618286f35dfd0f6c07492a1405a308adf
Instruction Fuzzy Hash: 29310A32508BC1C0EB608F51E4483FA67A4FF88B84F04817ADA9D97A9ACF7CD091C744

Function 00007FF68C942A90 Relevance: 6.4, APIs: 5, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942ADD
HeapFree.KERNEL32(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942C01
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942C1E
HeapFree.KERNEL32(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942CA9
HeapFree.KERNEL32(?,?,00000000,00000000,00000000,00007FF68C94BF94), ref: 00007FF68C942CCB

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: af2bdd6e8122c800f99326544e929ee6727fa896b07752b671ee12e7031306d2
Instruction ID: 9550d9695f7dedd8a6e42810e85e89fce2800e9f72a872b329a38be5980f6160
Opcode Fuzzy Hash: af2bdd6e8122c800f99326544e929ee6727fa896b07752b671ee12e7031306d2
Instruction Fuzzy Hash: 4551E512A18EC6C0EA218B1998047B95764FF967B4F559379EE7D962D2EF3CE481C300

Function 00007FF68C959320 Relevance: 6.4, APIs: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C95A4D7
HeapFree.KERNEL32 ref: 00007FF68C95ACBE
HeapFree.KERNEL32 ref: 00007FF68C95ACEF
CloseHandle.KERNEL32 ref: 00007FF68C95B31E
HeapFree.KERNEL32 ref: 00007FF68C95B51A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseHandlememcpy
String ID:
API String ID: 2532389815-0
Opcode ID: 809d676975b0920cbe60297eb4b30ed59231665c628e83d3c3e9f1b9eaa2a573
Instruction ID: 0902e8056595e251f58045d95d89f4a82a5b977a425850111106ac7d93b356c6
Opcode Fuzzy Hash: 809d676975b0920cbe60297eb4b30ed59231665c628e83d3c3e9f1b9eaa2a573
Instruction Fuzzy Hash: 25515C22A0CAC6C0EE21DB55E4403BDA361FF94B85F44807ADA8D93B9ADF3CD446C700

Function 00007FF68C9508E0 Relevance: 6.3, APIs: 5, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C9508F9
TlsGetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950931
TlsSetValue.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C950941
HeapFree.KERNEL32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000,-00000008), ref: 00007FF68C95096D

Part of subcall function 00007FF68C94FE90: HeapFree.KERNEL32(?,?,00000001,00007FF68C95173E,?,?,?,?,?), ref: 00007FF68C94FEB6

TlsGetValue.KERNEL32(-00000008,?,00000000,00007FF68C950192), ref: 00007FF68C950991

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 389c5f119a7f37e152ef57dae1ef26e2890b5f5958358c5235fe991c236ea3a3
Instruction ID: 2116a845bb6c8314427228366793cfdbf6bcda29186a8b752dc135641cad661d
Opcode Fuzzy Hash: 389c5f119a7f37e152ef57dae1ef26e2890b5f5958358c5235fe991c236ea3a3
Instruction Fuzzy Hash: DF11BEB2E0D5D2C1FE652B26A52177D5294BF85B81F0860FDDA5DC73CBDD6CA841C280

Function 00007FF68C94C850 Relevance: 6.3, APIs: 5, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF68C94C865
TlsGetValue.KERNEL32 ref: 00007FF68C94C899
TlsSetValue.KERNEL32 ref: 00007FF68C94C8A9
HeapFree.KERNEL32 ref: 00007FF68C94C8BF
TlsGetValue.KERNEL32 ref: 00007FF68C94C8E3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: Value$FreeHeap
String ID:
API String ID: 911738859-0
Opcode ID: 1b4d6d9c542dc838a40c6e866a6cde91695e8afd33f488985f9d1d13d2fd6d9f
Instruction ID: 869e7bc4470eca959e985e9e4012d2b4999f52ff622679f81b143b4f95ea962c
Opcode Fuzzy Hash: 1b4d6d9c542dc838a40c6e866a6cde91695e8afd33f488985f9d1d13d2fd6d9f
Instruction Fuzzy Hash: FF11CE22F1C9D2C5FD656B2264117BD02947F89B80F0804FDD92DD73C7DD2CA882C280

Function 00007FF68C938FC0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C938FE7
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68C9392B4
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9392C7

Strings

FFFFFFFF, xrefs: 00007FF68C939120

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memset$memcpy
String ID: FFFFFFFF
API String ID: 368790112-1347283565
Opcode ID: 66bb0766c79497e08940e15b097dba0dcaa17d9f29aa89d6a913e861e4bdf955
Instruction ID: 48ed8e4d54700da59b7524e66c8f8ee543b97b6c597c270618091bf098eab2e1
Opcode Fuzzy Hash: 66bb0766c79497e08940e15b097dba0dcaa17d9f29aa89d6a913e861e4bdf955
Instruction Fuzzy Hash: 39814422B1C6D2C2FE75CA7581043B96792BF457A4F466279D94E923C2CF3E9A41C204

Function 00007FF68C958973 Relevance: 6.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C9588A8
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C9588B3
GetLastError.KERNEL32 ref: 00007FF68C9588BE
GetLastError.KERNEL32 ref: 00007FF68C9588D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectorySystem
String ID:
API String ID: 860285823-0
Opcode ID: ea9b788d52612664f9088d34ffec071b64d5f209076e391ccc328b6bb5778006
Instruction ID: d1ab755615bd65bec07550c250d1420cf8e49dae203360f72cd442472e8804a2
Opcode Fuzzy Hash: ea9b788d52612664f9088d34ffec071b64d5f209076e391ccc328b6bb5778006
Instruction Fuzzy Hash: E0518A22A18AD1C1EB309B11E4443BE62A4FF407A1F01427ADAAEA7BDADF7CD441C744

Function 00007FF68C950D30 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,00000000,00007FF8C62FD0B0), ref: 00007FF68C950DB6
WriteConsoleW.KERNEL32(?,?,?,00000000,00007FF8C62FD0B0), ref: 00007FF68C950DF4
WriteConsoleW.KERNEL32 ref: 00007FF68C950E78
GetLastError.KERNEL32 ref: 00007FF68C950E81

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ConsoleWrite$ByteCharErrorLastMultiWide
String ID:
API String ID: 3036337926-0
Opcode ID: 07c537da8811d70a022d6f154d311d44786e5e5512504200c64fb391a295c508
Instruction ID: 0e49b1d99f784b73b8f64cea8c81e44a36a8bfe7fe55d79ae6543a6640f02f53
Opcode Fuzzy Hash: 07c537da8811d70a022d6f154d311d44786e5e5512504200c64fb391a295c508
Instruction Fuzzy Hash: 1641DC62F081E2C6FE244651B4043BA5550BF44786F6460F9EA8ED3BCBDE7CE485C640

Function 00007FF68C964A50 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C961750: TlsGetValue.KERNEL32(?,00000000), ref: 00007FF68C961765
Part of subcall function 00007FF68C961750: TlsGetValue.KERNEL32(?,00000000), ref: 00007FF68C961799
Part of subcall function 00007FF68C961750: TlsSetValue.KERNEL32(?,00000000), ref: 00007FF68C9617A9
Part of subcall function 00007FF68C961750: HeapFree.KERNEL32(?,00000000), ref: 00007FF68C9617BF

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C964B17
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C964BB2
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF68C964BCE
GetLastError.KERNEL32 ref: 00007FF68C964BD8

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: AddressValue$SingleWake$ErrorFreeHeapLastWait
String ID:
API String ID: 2675984105-0
Opcode ID: b38cdef6c2f7d106dc1ae0eb83e231e11ca37de4423362bc878a466cc47ec2c6
Instruction ID: 4bc7e0bea70a7c1008f3cc41904a48678fb090538518ee8e072147e9e29babba
Opcode Fuzzy Hash: b38cdef6c2f7d106dc1ae0eb83e231e11ca37de4423362bc878a466cc47ec2c6
Instruction Fuzzy Hash: 14416F2290CAC1C1EB61DB75A500BBEA790BF95798F049179EF8C86A97DF2CE0C5C741

Function 00007FF68C959E4C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C95D3E0: HeapFree.KERNEL32 ref: 00007FF68C95D486
Part of subcall function 00007FF68C95D3E0: HeapFree.KERNEL32 ref: 00007FF68C95D497

HeapFree.KERNEL32 ref: 00007FF68C959E90
HeapFree.KERNEL32 ref: 00007FF68C959EC9

Strings

g5, xrefs: 00007FF68C959E74
PATH, xrefs: 00007FF68C959F9A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID: PATH$g5
API String ID: 3298025750-4158530234
Opcode ID: 26d314a44fd4dae24bbdcc30059c1fd47763102072f4676809573130bc0ef09a
Instruction ID: 7834e3a31591261a57bb92e96fd4d89be47790f92b9c1bc4656b6ff315896500
Opcode Fuzzy Hash: 26d314a44fd4dae24bbdcc30059c1fd47763102072f4676809573130bc0ef09a
Instruction Fuzzy Hash: 4B419C22A0CAC6C5EA309B50E4443FBA391FF85756F45807ADA8D97B9ACF3DE485C704

Function 00007FF68C95F4A0 Relevance: 6.1, APIs: 4, Instructions: 59memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68C952B00: HeapFree.KERNEL32 ref: 00007FF68C952C33

HeapFree.KERNEL32 ref: 00007FF68C95F52C
GetCurrentThread.KERNEL32 ref: 00007FF68C95F533
SetThreadDescription.KERNELBASE ref: 00007FF68C95F545
HeapFree.KERNEL32 ref: 00007FF68C95F559

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$Thread$CurrentDescription
String ID:
API String ID: 930939367-0
Opcode ID: 03c4c9017ea353290674e4955ed8cbc4ef4f50d0e68ce97cacc1b9bd90d63113
Instruction ID: a5ae30bc09538125feeec9b9ac119085b7b72255b2f966e1520e3155e8209b4a
Opcode Fuzzy Hash: 03c4c9017ea353290674e4955ed8cbc4ef4f50d0e68ce97cacc1b9bd90d63113
Instruction Fuzzy Hash: B6115122A0CAC6C1EE20DB16A5046B96361BF89BE4F444279DE5D87B9ADE2CE142C740

Function 00007FF68C958636 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C958696
GetFullPathNameW.KERNEL32 ref: 00007FF68C9586A7
GetLastError.KERNEL32 ref: 00007FF68C9586B3
GetLastError.KERNEL32 ref: 00007FF68C9586D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID:
API String ID: 2482867836-0
Opcode ID: 67e6fe3ae0aeeaeb24e89052fa6734204a564b7297581c4f1078b856a5f688f6
Instruction ID: 7baeb4cd9850feb398ed9ae3000b984f4db1dc1d48a71ee408b288b9bcf8a259
Opcode Fuzzy Hash: 67e6fe3ae0aeeaeb24e89052fa6734204a564b7297581c4f1078b856a5f688f6
Instruction Fuzzy Hash: F1012E52B0D6D6C5FF20587685087BA52847F01BE0F510679DA39E3EC3DE6CE400C309

Function 00007FF68C959D06 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C959D66
GetWindowsDirectoryW.KERNEL32 ref: 00007FF68C959D71
GetLastError.KERNEL32 ref: 00007FF68C959D7D
GetLastError.KERNEL32 ref: 00007FF68C959DA3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectoryWindows
String ID:
API String ID: 1506654308-0
Opcode ID: 88a4185f548dab2ad5cf16b63d8672d72048dae1b877773ca6e29c293c116a5d
Instruction ID: 666c858c32ec05b66ef4d68fd92669452726f187127bd7ad501166a285e44999
Opcode Fuzzy Hash: 88a4185f548dab2ad5cf16b63d8672d72048dae1b877773ca6e29c293c116a5d
Instruction Fuzzy Hash: 1A019E52B1C6D6C8FE60696995043B952893F00BE2F650679EA39E7AC3DE6DE402C340

Function 00007FF68C959A46 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C959AA6
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C959AB1
GetLastError.KERNEL32 ref: 00007FF68C959ABC
GetLastError.KERNEL32 ref: 00007FF68C959AD5

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectorySystem
String ID:
API String ID: 860285823-0
Opcode ID: dd4c86467902ee9b8df7f3d06b4dd389ff0079c6ef2c5990c25acac0ac822cd0
Instruction ID: c5e6d8585f5602bdc8e93c6326857753680381171578af5df1208f5defecbf3f
Opcode Fuzzy Hash: dd4c86467902ee9b8df7f3d06b4dd389ff0079c6ef2c5990c25acac0ac822cd0
Instruction Fuzzy Hash: 7901BC12A0CAD685FE2069A599053B912843F01BF1F5607B9DA3EE7AC3DE6DE402C250

Function 00007FF68C958846 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF68C9588A8
GetSystemDirectoryW.KERNEL32 ref: 00007FF68C9588B3
GetLastError.KERNEL32 ref: 00007FF68C9588BE
GetLastError.KERNEL32 ref: 00007FF68C9588D6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: ErrorLast$DirectorySystem
String ID:
API String ID: 860285823-0
Opcode ID: d96709fa5ad1a7e2649e00c7be5a36b9731436211f8e646a09ef1ea265dab2f8
Instruction ID: 867de1a5c16a6dbc7c30c14f14c8a5d2a6ff4d5596a31fd362f27a3ee237327c
Opcode Fuzzy Hash: d96709fa5ad1a7e2649e00c7be5a36b9731436211f8e646a09ef1ea265dab2f8
Instruction Fuzzy Hash: 3C018012F189E6C2FE20683484053795244BF017B5F1642B8DA3DE7ECBDE6DE801C349

Function 00007FF68C942F70 Relevance: 5.2, APIs: 4, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,-0000026F,00000000,00007FF68C942DB7,00000000,00000000,00007FF68C94B4EB), ref: 00007FF68C94307F
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,-0000026F,00000000,00007FF68C942DB7,00000000,00000000,00007FF68C94B4EB), ref: 00007FF68C943092
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF68C9430DA
HeapFree.KERNEL32(00007FF68C942DB7,00000000,00000000,00007FF68C94B4EB), ref: 00007FF68C94327D

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: memcpy$FreeHeap
String ID:
API String ID: 4250714341-0
Opcode ID: f1174401a5010b7f4574f4d3f1384ce6f318dca5a5104f3d1d6713112bdb8c60
Instruction ID: b7c1754904ac0cce779281362e8969b28137c4535461c94da8c3cb35e949824a
Opcode Fuzzy Hash: f1174401a5010b7f4574f4d3f1384ce6f318dca5a5104f3d1d6713112bdb8c60
Instruction Fuzzy Hash: A481A022A19BC481E6218B19E8013EAB7A0FF99759F059325EFEC53795DF38D2D2C740

Function 00007FF68C965A60 Relevance: 5.1, APIs: 4, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C965AAC
HeapFree.KERNEL32 ref: 00007FF68C965B16
HeapFree.KERNEL32 ref: 00007FF68C965B4C
HeapFree.KERNEL32 ref: 00007FF68C965BB6

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6fdd41e4e85157a888c6b510b22fbf47570cef9d66cf2e5ce5d1061829f76096
Instruction ID: 2b86fdb232e0096edf6a8cc753810b60128c01c6837ee799d60752af22a602df
Opcode Fuzzy Hash: 6fdd41e4e85157a888c6b510b22fbf47570cef9d66cf2e5ce5d1061829f76096
Instruction Fuzzy Hash: 6E418326B09E86C2EA259B23A540B6A6364FF44B98F584479DF5D877C2DF3CE091C340

Function 00007FF68C954F4C Relevance: 5.1, APIs: 4, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C954FEE
HeapFree.KERNEL32 ref: 00007FF68C954FFF
HeapFree.KERNEL32 ref: 00007FF68C9550BF
HeapFree.KERNEL32 ref: 00007FF68C9550D3

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c725985f59428f0de4427d322dfb0947af3d541a8a41e62dc10622d450ee8d3d
Instruction ID: ec87b5ee8140f42711df68d8d90eb88f41ff7768442af0175457659f9a934abd
Opcode Fuzzy Hash: c725985f59428f0de4427d322dfb0947af3d541a8a41e62dc10622d450ee8d3d
Instruction Fuzzy Hash: 01417E22B0DA86C1ED64DA16A51427D5381BF89BD5F4444BEEE1E87797EE3CE142C340

Function 00007FF68C95A5E7 Relevance: 5.1, APIs: 4, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95ACBE
HeapFree.KERNEL32 ref: 00007FF68C95ACEF
CloseHandle.KERNEL32 ref: 00007FF68C95B31E
HeapFree.KERNEL32 ref: 00007FF68C95B51A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: b5b75d0d2f4fcb7fa9033217e1989d5190c4d618f5041e978ca3aa4d5ffb238f
Instruction ID: bff7b8d5082f7deba9c536563838ab4211d3f2a25b7c429203504f21a4037e20
Opcode Fuzzy Hash: b5b75d0d2f4fcb7fa9033217e1989d5190c4d618f5041e978ca3aa4d5ffb238f
Instruction Fuzzy Hash: 1141565291E5C2C5FE278F05A1007BD1B50BF817A2F4490BADE5E967E2CE3CEA51D300

Function 00007FF68C9592AF Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF68C95ACBE
HeapFree.KERNEL32 ref: 00007FF68C95ACEF
CloseHandle.KERNEL32 ref: 00007FF68C95B31E
HeapFree.KERNEL32 ref: 00007FF68C95B51A

Memory Dump Source

Source File: 00000000.00000002.2440288160.00007FF68C921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68C920000, based on PE: true

Associated: 00000000.00000002.2440259388.00007FF68C920000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440336856.00007FF68C97D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68C97E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68D37E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2440367853.00007FF68DD7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447426567.00007FF68E63E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447460167.00007FF68E63F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2447508453.00007FF68E642000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68c920000_CSh#U0430rk F1 x.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 5bcdc74ea95421b13a642897fdbf48fca400b8ae6d00bc05bfd1afe3d031dd2a
Instruction ID: b76fda206547cc562995bde667a44278b170563993a633dfb26fd8dc23759e3a
Opcode Fuzzy Hash: 5bcdc74ea95421b13a642897fdbf48fca400b8ae6d00bc05bfd1afe3d031dd2a
Instruction Fuzzy Hash: DE217E22A0CAC6C0EF21DF55E4003B9A3A5FF84B95F44807ADA4D97AA6DF7CD482C740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CSh#U0430rk F1 x.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: CSh#U0430rk F1 x.exePID: 1772, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: CSh#U0430rk F1 x.exePID: 1772, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF68C928CE1 Relevance: 172.4, APIs: 80, Strings: 16, Instructions: 4404COMMON

Control-flow Graph

Windows Analysis Report
CSh#U0430rk F1 x.exe

Function 00007FF68C928CE1 Relevance: 172.4, APIs: 80, Strings: 16, Instructions: 4404
COMMON

Function 00007FF68C93293F Relevance: 65.3, APIs: 36, Strings: 1, Instructions: 501
memoryCOMMON

Function 00007FF68C92C3C7 Relevance: 46.5, APIs: 24, Strings: 2, Instructions: 963
memoryCOMMON

Function 00007FF68C925060 Relevance: 31.8, APIs: 21, Instructions: 348
memoryCOMMON

Function 00007FF68C961CD0 Relevance: 30.3, APIs: 15, Strings: 2, Instructions: 576
nativetimeCOMMON

Function 00007FF68C921E2D Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 544
COMMON

Function 00007FF68C92DC75 Relevance: 24.3, APIs: 16, Instructions: 254
memoryCOMMON

Function 00007FF68C9681B0 Relevance: 17.0, APIs: 11, Instructions: 467
COMMON

Function 00007FF68C963170 Relevance: 10.8, APIs: 7, Instructions: 338
COMMON

Function 00007FF68C962880 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 325
memoryCOMMON

Function 00007FF68C9221B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 248
COMMON

Function 00007FF68C94CE20 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 224
memoryCOMMON

Function 00007FF68C921BA3 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
memoryCOMMON

Function 00007FF68C921D76 Relevance: 12.2, APIs: 8, Instructions: 205
memoryCOMMON

Function 00007FF68C969300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103
COMMON