Edit tour

Windows Analysis Report
wnGDKyXdAo.exe

Overview

General Information

Sample name:	wnGDKyXdAo.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Analysis ID:	1540690
MD5:	65265a6752011edf039bdeafeb4e1551
SHA1:	7414c76369b2e5762c93936a22ba530d80488d10
SHA256:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

wnGDKyXdAo.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\wnGDKyXdAo.exe" MD5: 65265A6752011EDF039BDEAFEB4E1551)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wnGDKyXdAo.exe

Avira: detected

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C835B0 recv,

0_2_00007FF6B9C835B0

Source: wnGDKyXdAo.exe

String found in binary or memory: https://http://Mozilla/5.0

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCDA9C	0_2_00007FF6B9CCDA9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9E053	0_2_00007FF6B9C9E053
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2020	0_2_00007FF6B9CC2020
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD6F64	0_2_00007FF6B9CD6F64
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC2644	0_2_00007FF6B9CC2644
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C91A00	0_2_00007FF6B9C91A00
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C839F0	0_2_00007FF6B9C839F0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5CC8	0_2_00007FF6B9CE5CC8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBDBB4	0_2_00007FF6B9CBDBB4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9FB3E	0_2_00007FF6B9C9FB3E
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9CB40	0_2_00007FF6B9C9CB40
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1B38	0_2_00007FF6B9CB1B38
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8CB60	0_2_00007FF6B9C8CB60
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C96F32	0_2_00007FF6B9C96F32
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCCE74	0_2_00007FF6B9CCCE74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9BE20	0_2_00007FF6B9C9BE20
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C88DD0	0_2_00007FF6B9C88DD0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB1DC4	0_2_00007FF6B9CB1DC4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB5124	0_2_00007FF6B9CB5124
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C95050	0_2_00007FF6B9C95050
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0010	0_2_00007FF6B9CC0010
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE1FE4	0_2_00007FF6B9CE1FE4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC0FB0	0_2_00007FF6B9CC0FB0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CB8F9C	0_2_00007FF6B9CB8F9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85F70	0_2_00007FF6B9C85F70
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC52FC	0_2_00007FF6B9CC52FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD42D8	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9F298	0_2_00007FF6B9C9F298
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC1248	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C85190	0_2_00007FF6B9C85190
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C94160	0_2_00007FF6B9C94160
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C92500	0_2_00007FF6B9C92500
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8E480	0_2_00007FF6B9C8E480
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C854A0	0_2_00007FF6B9C854A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD1450	0_2_00007FF6B9CD1450
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C93470	0_2_00007FF6B9C93470
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE5474	0_2_00007FF6B9CE5474
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C87360	0_2_00007FF6B9C87360
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC56AC	0_2_00007FF6B9CC56AC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CEB698	0_2_00007FF6B9CEB698
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C965D0	0_2_00007FF6B9C965D0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C9A594	0_2_00007FF6B9C9A594
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C86590	0_2_00007FF6B9C86590
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CCB59C	0_2_00007FF6B9CCB59C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CD48FC	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CDF8F8	0_2_00007FF6B9CDF8F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C947B0	0_2_00007FF6B9C947B0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9C8A740	0_2_00007FF6B9C8A740
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBE764	0_2_00007FF6B9CBE764

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CA4AE0 appears 36 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CAC040 appears 144 times
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: String function: 00007FF6B9CB0700 appears 63 times

Source: classification engine

Classification label: mal48.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03

Source: wnGDKyXdAo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

File read: C:\Users\user\Desktop\wnGDKyXdAo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wnGDKyXdAo.exe "C:\Users\user\Desktop\wnGDKyXdAo.exe"
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Section loaded: wininet.dll	Jump to behavior

Source: wnGDKyXdAo.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: wnGDKyXdAo.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wnGDKyXdAo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CD227C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF6B9CD227C

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CDCB44 GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,

0_2_00007FF6B9CDCB44

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,free,sprintf,free,

0_2_00007FF6B9C84030

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision	graph_0-43575
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision	graph_0-43513
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Evaded block: after key decision	graph_0-43514

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-44463

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wnGDKyXdAo.exe, 00000000.00000002.1698080885.00000264FF860000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

API call chain: ExitProcess graph end node

graph_0-43966

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB72E0 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,

0_2_00007FF6B9CB72E0

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

0_2_00007FF6B9CD227C

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CC04E8 GetProcessHeap,

0_2_00007FF6B9CC04E8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CC3868 SetUnhandledExceptionFilter,		0_2_00007FF6B9CC3868
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CBC73C SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B9CBC73C

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CBF8B8 cpuid

0_2_00007FF6B9CBF8B8

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4D28
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_00007FF6B9CD4C74
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CBEB88
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	0_2_00007FF6B9CB7EF4
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4DBC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	0_2_00007FF6B9CD2DB8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	0_2_00007FF6B9CD4FEC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	0_2_00007FF6B9CBCFE0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6B9CBCF9C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00007FF6B9CD42D8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	0_2_00007FF6B9CD5290
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	0_2_00007FF6B9CC1248
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,GetLocaleInfoW,	0_2_00007FF6B9CD51E8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6B9CD5138
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00007FF6B9CD24F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF6B9CD2654
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_00007FF6B9CD3540
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	0_2_00007FF6B9CD48FC
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,	0_2_00007FF6B9CD47F8
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	0_2_00007FF6B9CD282C
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	0_2_00007FF6B9CD4744

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CB7BB8 GetSystemTimeAsFileTime,

0_2_00007FF6B9CB7BB8

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9C837C0 GetUserNameA,

0_2_00007FF6B9C837C0

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe

Code function: 0_2_00007FF6B9CCAD54 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,std::bad_exception::bad_exception,_CxxThrowException,std::bad_exception::bad_exception,_CxxThrowException,

0_2_00007FF6B9CCAD54

Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE10A0 Concurrency::details::VirtualProcessor::ThrowVirtualProcessorEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,		0_2_00007FF6B9CE10A0
Source: C:\Users\user\Desktop\wnGDKyXdAo.exe	Code function: 0_2_00007FF6B9CE0158 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext,		0_2_00007FF6B9CE0158

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wnGDKyXdAo.exe	100%	Avira	HEUR/AGEN.1319794

Name	Source	Malicious	Antivirus Detection	Reputation
https://http://Mozilla/5.0	wnGDKyXdAo.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540690
Start date and time:	2024-10-24 01:02:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wnGDKyXdAo.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
Detection:	MAL
Classification:	mal48.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 23 Number of non-executed functions: 87
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: wnGDKyXdAo.exe

Process:	C:\Users\user\Desktop\wnGDKyXdAo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	4.710273607729329
Encrypted:	false
SSDEEP:	24:w3GSdNffPmFMqFh4im3S1emA26uuMj4/4rku3MkHtXDe98vO++ly+Npy+tbDZAd1:9SdkJPAke5uuMqo3ltTI+Z+y+4W+t
MD5:	F028EC760D3B3F8A0B9DB4CF6ED0BD85
SHA1:	229C305A97F890BF2EB66D9B5A0FB60FE79A3258
SHA-256:	96EC03AE0A7A7233F01D904F60AACC43A748B32190B7232CAB74A4349236B8A9
SHA-512:	32883789EFAA3375782ED6D9699838F4587F6BBC952115AFDB74C7ED00F4DFE90E93FD402798AD013FABB8F0B56578C47828304BD3A1DD87C0AEC261A38DDCB3
Malicious:	false
Reputation:	low
Preview:	aescriptsLicTool_Verbose v4.1.43 (20241006) / AESCRIPTSLICLIB 4.1.3....usage: aescriptsLicTool_Verbose productName privNum [licString] [version]..'productName' is the name of the product to be validated or licensed (this is the filename of the license file without extension)..'privNum' is the private number of the product (can be set to - to ignore for certain actions)..'licString' is the license string of the product to be licensed..('licString' can be set to - to unlicense a product)..('licString' can be set to -content to retrieve the current content of the license file as a string)..('licString' can be set to PID@REMOTE to request a floating license - replace PID with the product ID on the server)..'version' is the optional version of the product to be licensed....The tool can also be run in 'licenser' or 'license checker' mode..Licenser mode call syntax:..aescriptsLicTool_Verbose productName - [licString] [version] -license..License checker mode call syntax:..aescriptsLicTool_Verb

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.129641582558878
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wnGDKyXdAo.exe
File size:	645'776 bytes
MD5:	65265a6752011edf039bdeafeb4e1551
SHA1:	7414c76369b2e5762c93936a22ba530d80488d10
SHA256:	3fe5fd377ea9bde5ca15723d214916b9a8e1b780bd49fab6e75412315c155b52
SHA512:	6356f085894624e61a8dc67b19fc27ebf4c17b75b4cda970f120edc80d63946527ca845224c8b71d2d65a12efe5bfff7d781c050c382a517a958c0d3959afe63
SSDEEP:	12288:y6UPqQaO4tv82UlCKIMBnD1pnS8nWy9i4elej:y6jOK8GKIM5bWy9zj
TLSH:	25D46B59B39440E5D067C279CA574516F3B278460B3A9BDB03A0876B1F37AE09F3EB21
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O};.!.;.!.;.!..\|..4.!..\|....!..\|....!.....6.!.;. ...!..U..:.!.]T..:.!.]T..:.!.Rich;.!.........PE..d......g.........."........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140037e30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67021889 [Sun Oct 6 04:56:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3ee642cb8c343ab97cf5b604d88a461f

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA49C8C3EE8h
dec eax
add esp, 28h
jmp 00007FA49C8B7CA7h
int3
int3
dec eax
sub esp, 28h
call 00007FA49C8C07C8h
dec eax
mov ecx, dword ptr [eax+000000C0h]
dec eax
cmp ecx, dword ptr [0005C965h]
je 00007FA49C8B7E78h
mov eax, dword ptr [eax+000000C8h]
test dword ptr [0005CAD3h], eax
jne 00007FA49C8B7E6Ah
call 00007FA49C8C0C7Dh
dec eax
mov ecx, eax
mov eax, dword ptr [ecx+04h]
dec eax
add esp, 28h
ret
int3
dec eax
sub esp, 28h
call 00007FA49C8C0790h
dec eax
mov ecx, dword ptr [eax+000000C0h]
dec eax
cmp ecx, dword ptr [0005C92Dh]
je 00007FA49C8B7E78h
mov eax, dword ptr [eax+000000C8h]
test dword ptr [0005CA9Bh], eax
jne 00007FA49C8B7E6Ah
call 00007FA49C8C0C45h
dec eax
mov ecx, eax
dec eax
lea eax, dword ptr [ecx+00000128h]
dec eax
add esp, 28h
ret
int3
dec eax
sub esp, 28h
call 00007FA49C8C0754h
dec eax
mov ecx, dword ptr [eax+000000C0h]
dec eax
cmp ecx, dword ptr [0005C8F1h]
je 00007FA49C8B7E78h
mov eax, dword ptr [eax+000000C8h]
test dword ptr [0005CA5Fh], eax
jne 00007FA49C8B7E6Ah
call 00007FA49C8C0C09h
dec eax
mov ecx, eax
mov eax, dword ptr [ecx+000000D4h]
dec eax
add esp, 28h
ret
int3
int3
dec esp
mov ebx, esp

Rich Headers

Programming Language:

[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91424	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9a000	0x50c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa1000	0xfbc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x81290	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x71000	0x4d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f789	0x6f800	8a8e32c0d99c274fc8002dc11f45bcaa	False	0.505165271160314	data	6.372737146819066	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x71000	0x213de	0x21400	f7ca2b641a4baf725e5feea0e55d4344	False	0.354984140037594	data	4.614733432030153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x93000	0x6a60	0x3a00	71fce75483d7bb8ef829447188123647	False	0.2231950431034483	data	3.9381026450080876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9a000	0x50c4	0x5200	be34dba8af943daf4f72a01864fb08c0	False	0.4907583841463415	data	5.750850673396023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x1e0	0x200	584568d783300e149a02ddab2f14ce0f	False	0.525390625	data	4.692060940173397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa1000	0x3a92	0x3c00	fa960895ca86a7d9e8087af3dc53212f	False	0.1248046875	data	2.177846270977989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa0060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WS2_32.dll	inet_ntop, ioctlsocket, gethostname, connect, WSAStartup, getaddrinfo, select, WSAGetLastError, setsockopt, WSACleanup, recv, socket, freeaddrinfo, __WSAFDIsSet, closesocket, send
IPHLPAPI.DLL	GetAdaptersInfo
KERNEL32.dll	GetThreadPriority, CreateFileW, SetEnvironmentVariableA, WriteConsoleW, SetStdHandle, ReadConsoleW, CreateTimerQueue, RegisterWaitForSingleObject, GetNumaHighestNodeNumber, ChangeTimerQueueTimer, SetEndOfFile, QueryDepthSList, LoadLibraryW, UnregisterWait, CreateFileA, SystemTimeToFileTime, FormatMessageA, SetFileTime, Sleep, CreateDirectoryA, GetLastError, SetFileAttributesA, CloseHandle, GetSystemTime, UnregisterWaitEx, GetStartupInfoW, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, ReleaseSemaphore, DuplicateHandle, VirtualProtect, VirtualFree, VirtualAlloc, GetVersionExW, WideCharToMultiByte, GetCurrentThreadId, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetSystemTimeAsFileTime, MultiByteToWideChar, GetStringTypeW, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, HeapFree, HeapAlloc, IsDebuggerPresent, IsProcessorFeaturePresent, GetCommandLineA, GetCPInfo, RtlPcToFileHeader, RaiseException, RtlLookupFunctionEntry, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsGetValue, CreateTimerQueueTimer, RtlCaptureContext, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsSetValue, TlsFree, SignalObjectAndWait, GetModuleHandleW, CreateSemaphoreW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetStdHandle, GetFileType, WriteFile, GetModuleFileNameW, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetProcessHeap, GetCurrentThread, ReadFile, SetFilePointerEx, FlushFileBuffers, GetConsoleCP, GetConsoleMode, HeapSize, CreateDirectoryW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetFilePointer, HeapReAlloc, DeleteTimerQueueTimer, GetProcessAffinityMask, SetThreadAffinityMask, OutputDebugStringW, SwitchToThread, CreateThread, GetThreadTimes, FreeLibraryAndExitThread, GetModuleHandleA, SetEvent, WaitForSingleObject, CreateEventW, SetThreadPriority, GetTickCount
ADVAPI32.dll	GetUserNameA
SHELL32.dll	SHGetFolderPathA
WININET.dll	HttpSendRequestA, HttpOpenRequestA, InternetCloseHandle, InternetReadFile, InternetConnectA, HttpQueryInfoA, InternetSetOptionA, InternetOpenA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	19:03:51
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\wnGDKyXdAo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wnGDKyXdAo.exe"
Imagebase:	0x7ff6b9c80000
File size:	645'776 bytes
MD5 hash:	65265A6752011EDF039BDEAFEB4E1551
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:03:51
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.5%
Total number of Nodes:	1199
Total number of Limit Nodes:	11

Executed Functions

Function 00007FF6B9C9E053 Relevance: 85.0, APIs: 2, Strings: 54, Instructions: 1009COMMON

Download Yara Rule

APIs

memchr.LIBCMT ref: 00007FF6B9C9E1C6
memchr.LIBCMT ref: 00007FF6B9C9E3D7

Part of subcall function 00007FF6B9CA5450: memchr.LIBCMT ref: 00007FF6B9CA54CF

Part of subcall function 00007FF6B9C9D640: _Mtx_unlock.LIBCPMT ref: 00007FF6B9C9D677

Strings

-force_online enables forced online activation, xrefs: 00007FF6B9C9F15F
) / , xrefs: 00007FF6B9C9E2CC
-unauth_check_days [numDays] sets the online activation grace period in days, xrefs: 00007FF6B9C9F139
days, xrefs: 00007FF6B9C9E774
Online check inactive, xrefs: 00007FF6B9C9E66C
-timeout [timeout] sets the online activation timeout in milliseconds, xrefs: 00007FF6B9C9F185
Setting online activation grace period to , xrefs: 00007FF6B9C9E74A
The following additional flags can be appended to the command line to enable specific features:, xrefs: 00007FF6B9C9F07B
aescriptsLicTool_Verbose, xrefs: 00007FF6B9C9E27A
&;, xrefs: 00007FF6B9C9E305
t, xrefs: 00007FF6B9C9EC60
aescriptsLicTool_Verbose productName - [licString] [version] -check, xrefs: 00007FF6B9C9F03D
-web, xrefs: 00007FF6B9C9E1D6, 00007FF6B9C9E3E7
'privNum' is the private number of the product (can be set to - to ignore for certain actions), xrefs: 00007FF6B9C9EEA9
usage: aescriptsLicTool_Verbose productName privNum [licString] [version], xrefs: 00007FF6B9C9EE5D
-unauth_check_days, xrefs: 00007FF6B9C9E715
-check, xrefs: 00007FF6B9C9E4B8
.43 (, xrefs: 00007FF6B9C9E2AE
-auth_check_days, xrefs: 00007FF6B9C9E6CE
20241006, xrefs: 00007FF6B9C9E2BD
-timeout, xrefs: 00007FF6B9C9E7DD
'version' is the optional version of the product to be licensed, xrefs: 00007FF6B9C9EF67
Using online check URL , xrefs: 00007FF6B9C9E681
Online check active, xrefs: 00007FF6B9C9E536
seconds, xrefs: 00007FF6B9C9E84F
-multi, xrefs: 00007FF6B9C9E45E
-offline_support, xrefs: 00007FF6B9C9E54B
-multi enables support for multi-licenses, xrefs: 00007FF6B9C9F0A1
6;, xrefs: 00007FF6B9C9E2F5
-force_online, xrefs: 00007FF6B9C9E786
'licString' is the license string of the product to be licensed, xrefs: 00007FF6B9C9EECF
-online, xrefs: 00007FF6B9C9E515
Offline licensing support active, xrefs: 00007FF6B9C9E56C
('licString' can be set to - to unlicense a product), xrefs: 00007FF6B9C9EEF5
Licenser mode call syntax:, xrefs: 00007FF6B9C9EFCB
%, xrefs: 00007FF6B9C9E2A6
License checker mode call syntax:, xrefs: 00007FF6B9C9F017
-url, xrefs: 00007FF6B9C9E581
-online enables online checks, xrefs: 00007FF6B9C9F0C7
Setting online activation check interval to , xrefs: 00007FF6B9C9E703
-auth_check_days [numDays] sets the online activation check interval in days, xrefs: 00007FF6B9C9F113
Support for multi-licenses active, xrefs: 00007FF6B9C9E482
AESCRIPTSLICLIB 4.1.3, xrefs: 00007FF6B9C9E2DB
The tool can also be run in 'licenser' or 'license checker' mode, xrefs: 00007FF6B9C9EFA5
|||||||||, xrefs: 00007FF6B9C9E9C7
'productName' is the name of the product to be validated or licensed (this is the filename of the license file without extension), xrefs: 00007FF6B9C9EE83
2000, xrefs: 00007FF6B9C9EAC2
('licString' can be set to PID@REMOTE to request a floating license - replace PID with the product ID on the server), xrefs: 00007FF6B9C9EF41
-license, xrefs: 00007FF6B9C9E4E4
-url [URL] sets the online check URL to use, xrefs: 00007FF6B9C9F0ED
Forced online activation active, xrefs: 00007FF6B9C9E7A9
('licString' can be set to -content to retrieve the current content of the license file as a string), xrefs: 00007FF6B9C9EF1B
Setting online activation timeout to , xrefs: 00007FF6B9C9E82F
aescriptsLicTool_Verbose productName - [licString] [version] -license, xrefs: 00007FF6B9C9EFF1

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: memchr$Mtx_unlock
String ID: days$ seconds$'licString' is the license string of the product to be licensed$'privNum' is the private number of the product (can be set to - to ignore for certain actions)$'productName' is the name of the product to be validated or licensed (this is the filename of the license file without extension)$'version' is the optional version of the product to be licensed$('licString' can be set to - to unlicense a product)$('licString' can be set to -content to retrieve the current content of the license file as a string)$('licString' can be set to PID@REMOTE to request a floating license - replace PID with the product ID on the server)$) / $-auth_check_days$-auth_check_days [numDays] sets the online activation check interval in days$-check$-force_online$-force_online enables forced online activation$-license$-multi$-multi enables support for multi-licenses$-offline_support$-online$-online enables online checks$-timeout$-timeout [timeout] sets the online activation timeout in milliseconds$-unauth_check_days$-unauth_check_days [numDays] sets the online activation grace period in days$-url$-url [URL] sets the online check URL to use$-web$.43 ($2000$20241006$AESCRIPTSLICLIB 4.1.3$Forced online activation active$License checker mode call syntax:$Licenser mode call syntax:$Offline licensing support active$Online check active$Online check inactive$Setting online activation check interval to $Setting online activation grace period to $Setting online activation timeout to $Support for multi-licenses active$The following additional flags can be appended to the command line to enable specific features:$The tool can also be run in 'licenser' or 'license checker' mode$Using online check URL $aescriptsLicTool_Verbose$aescriptsLicTool_Verbose productName - [licString] [version] -check$aescriptsLicTool_Verbose productName - [licString] [version] -license$t$usage: aescriptsLicTool_Verbose productName privNum [licString] [version]$|||||||||$%$&;$6;
API String ID: 3101769438-276666048
Opcode ID: b1b383baf7a04ba0b06efc75c45f175071b192e2f2503bbc900848fffc0211fc
Instruction ID: 8f5a859461d02ba21ae9d1e4eb5bab45b8f9d4bd2e968077e99f74bce3d5f02e
Opcode Fuzzy Hash: b1b383baf7a04ba0b06efc75c45f175071b192e2f2503bbc900848fffc0211fc
Instruction Fuzzy Hash: E2A26F21A1869685EB25DF2DD8583F92771EF55788F845031DB0ECBAABEF6CE605C300

Function 00007FF6B9CC2644 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 00007FF6B9CC269A
_errno.LIBCMT ref: 00007FF6B9CC26A1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CC26AC

Strings

U, xrefs: 00007FF6B9CC2C0E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 310e5d689b6c9005fc2c29a6e7927e47ab9f9910382af6568becb401648d8fdb
Instruction ID: b6ed4202921600c81b83f927f3b694d82e71fce99fccd2af3bf52cebd0dd459e
Opcode Fuzzy Hash: 310e5d689b6c9005fc2c29a6e7927e47ab9f9910382af6568becb401648d8fdb
Instruction Fuzzy Hash: AC12D372A1864286EB208F2DD48837E6BB1FB85794F504136EB8DC3AA4DF3DE545CB50

Function 00007FF6B9CD5644 Relevance: 48.6, APIs: 32, Instructions: 573COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B9CD5685

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CD567E

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__doserrno.LIBCMT ref: 00007FF6B9CD56DE
_errno.LIBCMT ref: 00007FF6B9CD56E5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD5E8E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: b1aebb7bc750ed6bd965db0952ebf2d304918c80961731e59570ffc347a6a6d3
Instruction ID: 1598fdf5fe9f011e66731fc2030e2ca9dad7663cd8b9d3346fc63e71ea8d488b
Opcode Fuzzy Hash: b1aebb7bc750ed6bd965db0952ebf2d304918c80961731e59570ffc347a6a6d3
Instruction Fuzzy Hash: 5B32D022A9C6C286FB219F2DC4882BC2BB0AF55798F548535CB1E87799DF3DED058710

Function 00007FF6B9CB7C18 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_callnewh.LIBCMT ref: 00007FF6B9CB7C26
malloc.LIBCMT ref: 00007FF6B9CB7C32

Part of subcall function 00007FF6B9CB5C2C: _FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB5C5C
Part of subcall function 00007FF6B9CB5C2C: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CB5C66
Part of subcall function 00007FF6B9CB5C2C: HeapAlloc.KERNEL32(?,?,00000000,00007FF6B9CBAE48,?,?,?,00007FF6B9CB93C0,?,?,?,00007FF6B9CB92BF), ref: 00007FF6B9CB5C81
Part of subcall function 00007FF6B9CB5C2C: _callnewh.LIBCMT ref: 00007FF6B9CB5C9A
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CA5
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CB0

Strings

bad allocation, xrefs: 00007FF6B9CB7C42

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID: bad allocation
API String ID: 3727741168-2104205924
Opcode ID: 7dfc25d6364a89fa24b2a1d03c71c712614c6b3cfffbc134d47ee1c094b8417a
Instruction ID: 5fa3066823c3cb6cf975381c4f8a8e988f1e8951903c1f3b450f3ae7b33f0066
Opcode Fuzzy Hash: 7dfc25d6364a89fa24b2a1d03c71c712614c6b3cfffbc134d47ee1c094b8417a
Instruction Fuzzy Hash: A6312F21E0CB5B45FE50AF69A8591B973B4AF42784F600538EB4DC6AA6EF3CF5058740

Function 00007FF6B9CB7CC5 Relevance: 21.1, APIs: 14, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_heap_init.LIBCMT ref: 00007FF6B9CB7CE8
_FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB7CFA

Part of subcall function 00007FF6B9CBE6F0: _set_error_mode.LIBCMT ref: 00007FF6B9CBE6F9
Part of subcall function 00007FF6B9CBE6F0: _set_error_mode.LIBCMT ref: 00007FF6B9CBE708
Part of subcall function 00007FF6B9CBE6F0: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CBE71F
Part of subcall function 00007FF6B9CBE6F0: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CBE729

_NMSG_WRITE.LIBCMT ref: 00007FF6B9CB7D04
_mtinit.LIBCMT ref: 00007FF6B9CB7D13
_FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB7D25
_NMSG_WRITE.LIBCMT ref: 00007FF6B9CB7D2F
_RTC_Initialize.LIBCMT ref: 00007FF6B9CB7D3E
_ioinit.LIBCMT ref: 00007FF6B9CB7D44
fast_error_exit.LIBCMT ref: 00007FF6B9CB7D52
GetCommandLineA.KERNEL32 ref: 00007FF6B9CB7D57
__crtGetEnvironmentStringsA.LIBCMT ref: 00007FF6B9CB7D64
__setargv.LIBCMT ref: 00007FF6B9CB7D70
_setenvp.LIBCMT ref: 00007FF6B9CB7D83
_cinit.LIBCMT ref: 00007FF6B9CB7D98

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _set_error_mode$CommandEnvironmentInitializeLineStrings__crt__setargv_cinit_heap_init_ioinit_mtinit_setenvpfast_error_exit
String ID:
API String ID: 3166661917-0
Opcode ID: b0981de98021ddb0104c549e5ebe9159d348e26bf22f0a2f6efc72fa0723fe93
Instruction ID: 96372eac869c0d6519e3ce9faada33103ff76615845e9e61c84b6440eb82aa91
Opcode Fuzzy Hash: b0981de98021ddb0104c549e5ebe9159d348e26bf22f0a2f6efc72fa0723fe93
Instruction Fuzzy Hash: B3315C21E0C65B46FB907F7DA55E2B935B1AF82744F640439EB0DC66E3EF2CB8408291

Function 00007FF6B9CD5528 Relevance: 16.6, APIs: 11, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF6B9CD555A

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CD5551

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__doserrno.LIBCMT ref: 00007FF6B9CD55B7
_errno.LIBCMT ref: 00007FF6B9CD55BE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD5622

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 45f8a82ceec06cf673c7f0369de7f0b233dfce2b3635af425e81092c052b3ba0
Instruction ID: a44bbf6b5f79ccd638ed5745f74a55306849712e7123bcb73d9808ded6430ea6
Opcode Fuzzy Hash: 45f8a82ceec06cf673c7f0369de7f0b233dfce2b3635af425e81092c052b3ba0
Instruction Fuzzy Hash: 82310532B8869A46E7126F6DD84917D3670AF817A0F854539EB2D877D6CF7CE8018710

Function 00007FF6B9CC4E1C Relevance: 15.1, APIs: 10, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF6B9CC4E47

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CC4E3F

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__lock_fhandle.LIBCMT ref: 00007FF6B9CC4E8B
_lseek_nolock.LIBCMT ref: 00007FF6B9CC4EA4
_unlock_fhandle.LIBCMT ref: 00007FF6B9CC4EC5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: 72afa058709bb828e96d3415c19377e2bbb9911eed6dfa1a6824f421d2ce3fe8
Instruction ID: 6ddb6b450f90d93c2afabe58f9aa2e37e9ef64a0f53f39d82f43e94b2afffb8d
Opcode Fuzzy Hash: 72afa058709bb828e96d3415c19377e2bbb9911eed6dfa1a6824f421d2ce3fe8
Instruction Fuzzy Hash: B521D022F0865645E7116F2DD94937CA9706F807A0F568638EB1D873E2CF7CA8418310

Function 00007FF6B9CC2314 Relevance: 15.1, APIs: 10, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF6B9CC233F

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CC2337

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__lock_fhandle.LIBCMT ref: 00007FF6B9CC2383
_lseeki64_nolock.LIBCMT ref: 00007FF6B9CC239C
_unlock_fhandle.LIBCMT ref: 00007FF6B9CC23BF

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: dd8faada70b3f1f2db14f4a0876ca9cda89bb6854984bafce4abb2666d957345
Instruction ID: bdf2fe7087bfd47b6e0d3ca150055838855e54b90150a3e8a2bd5732429a68a1
Opcode Fuzzy Hash: dd8faada70b3f1f2db14f4a0876ca9cda89bb6854984bafce4abb2666d957345
Instruction Fuzzy Hash: 8421D022B0869985EA116F1EE94937D69706F84BB0F490738EB3D873D2CF3CE8408720

Function 00007FF6B9CC2564 Relevance: 13.6, APIs: 9, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF6B9CC258F

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CC2587

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__lock_fhandle.LIBCMT ref: 00007FF6B9CC25D3
_unlock_fhandle.LIBCMT ref: 00007FF6B9CC260D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 5fcd879006f93b5fe29c795d0880f50e6eebd262978a8f42948adc3209e56eb7
Instruction ID: 2f2cc29a256b185e9b159dd30109959c366cae7b7dfa8046a040c324176340a3
Opcode Fuzzy Hash: 5fcd879006f93b5fe29c795d0880f50e6eebd262978a8f42948adc3209e56eb7
Instruction Fuzzy Hash: 8321CF22A0899646E7116F2DD94937D69706F81BA0F454538EB2D877E2CF7CE8418760

Function 00007FF6B9CC36E8 Relevance: 13.6, APIs: 9, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 00007FF6B9CC3709

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CC3701

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

__lock_fhandle.LIBCMT ref: 00007FF6B9CC374D
_close_nolock.LIBCMT ref: 00007FF6B9CC3760
_unlock_fhandle.LIBCMT ref: 00007FF6B9CC3779

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: f87f21952b45cb965ec34267ab40e2fd4b9299d68018c2f6f6fc69f248886a23
Instruction ID: df391b199be703fbf7ea850c8554a3083ba737c98b1ddaba962476a867514f94
Opcode Fuzzy Hash: f87f21952b45cb965ec34267ab40e2fd4b9299d68018c2f6f6fc69f248886a23
Instruction Fuzzy Hash: A111EE72A0C68A46F7156F2DEAAD27C2A70AF81761F590638DB1DC72D3DF7CA8408750

Function 00007FF6B9CA3A00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fgetc.LIBCMT ref: 00007FF6B9CA3ABB

Strings

string too long, xrefs: 00007FF6B9CA3C9E, 00007FF6B9CA3CAB

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: fgetc
String ID: string too long
API String ID: 2807381905-2556327735
Opcode ID: 1a938cfd65599276fb3aadb580e9b2d1027a9da448c82545d8171305ed1fd370
Instruction ID: 58f08a271ad2132f495dd7a451774aac217621644b8c937649c5e558cafd0987
Opcode Fuzzy Hash: 1a938cfd65599276fb3aadb580e9b2d1027a9da448c82545d8171305ed1fd370
Instruction Fuzzy Hash: 1B912732705A41DAEB148F69C4A42AC73B4FB44B68F450732EB2D93BD9DF39D9648310

Function 00007FF6B9C8DF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSACleanup.WS2_32 ref: 00007FF6B9C8E0D8
_Mtx_destroy.LIBCPMT ref: 00007FF6B9C8E119
_Mtx_destroy.LIBCPMT ref: 00007FF6B9C8E126
_Mtx_destroy.LIBCPMT ref: 00007FF6B9C8E133

Part of subcall function 00007FF6B9C915D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C9171B

Strings

1.0.0, xrefs: 00007FF6B9C8E014

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Mtx_destroy$CleanupIos_base_dtorstd::ios_base::_
String ID: 1.0.0
API String ID: 4003963943-322658870
Opcode ID: e2633af78b420bc41f454823a79be59aadfea9a2133544200fed54a12148376b
Instruction ID: 67430e67c5fca83d610ce5d3caf2eeaa5649916a8a33fa67d7cfb0866cdccad7
Opcode Fuzzy Hash: e2633af78b420bc41f454823a79be59aadfea9a2133544200fed54a12148376b
Instruction Fuzzy Hash: 3E513822A1DAA681F710DF1AE8883797772FB86394F901234DB5D836E6CF3DE4448704

Function 00007FF6B9CA35E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

string too long, xrefs: 00007FF6B9CA3863, 00007FF6B9CA3870

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: 70e423f66ee6790fe538ff7c039c66202f1dfd9db47b5ea2ea59a5846aeafa6a
Instruction ID: a36a90799534d835ff8d32262dd04c7aa880c6518506c8b95b142b0594ee78c1
Opcode Fuzzy Hash: 70e423f66ee6790fe538ff7c039c66202f1dfd9db47b5ea2ea59a5846aeafa6a
Instruction Fuzzy Hash: 82916D72B18A819AEB148F69D4642EC37B1F7047A8F904636EB2D97BD8DF38D564C340

Function 00007FF6B9CB0974 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fsopen.LIBCMT ref: 00007FF6B9CB0909
fclose.LIBCMT ref: 00007FF6B9CB0916
_fsopen.LIBCMT ref: 00007FF6B9CB092B
fseek.LIBCMT ref: 00007FF6B9CB0945

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _fsopen$fclosefseek
String ID:
API String ID: 410343947-0
Opcode ID: 264fa5cf69113298d8e32d3fe2f0c6501ea07c7103afaa3aed354072517c642a
Instruction ID: 06f8222b34e077698df6b0685b1121a423b60624b3d50e3166a02814d3c7ca36
Opcode Fuzzy Hash: 264fa5cf69113298d8e32d3fe2f0c6501ea07c7103afaa3aed354072517c642a
Instruction Fuzzy Hash: A921B421F1960A85FAA8CE0ED49977932B1EF46B84F188134CF4DC7B99DF2EE9418740

Function 00007FF6B9CC741C Relevance: 4.6, APIs: 3, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_SpinWait.LIBCMT ref: 00007FF6B9CC74DE
Concurrency::details::ResourceManager::ResourceManager.LIBCMT ref: 00007FF6B9CC7512
Concurrency::details::ResourceManager::ResourceManager.LIBCMT ref: 00007FF6B9CC7552

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Resource$Concurrency::details::ManagerManager::$SpinWait
String ID:
API String ID: 2068395708-0
Opcode ID: b6795b7f52903b4d6eb5cbc4091ac2d6def441bb89f3e22c6d367937602bf315
Instruction ID: bb465e6799f3e04d8047ffc27ebd7eb03af234562de1ad490581a3357ab74344
Opcode Fuzzy Hash: b6795b7f52903b4d6eb5cbc4091ac2d6def441bb89f3e22c6d367937602bf315
Instruction Fuzzy Hash: 93213921B09A4385EB91DF6AE4582796AB4DF49750F284138DB4ECB3E1EF3CF4448B90

Function 00007FF6B9C8DE90 Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Mtx_init.LIBCPMT ref: 00007FF6B9C8DEBA

Part of subcall function 00007FF6B9CB0FF0: calloc.LIBCMT ref: 00007FF6B9CB1010

_Mtx_init.LIBCPMT ref: 00007FF6B9C8DED6
_Mtx_init.LIBCPMT ref: 00007FF6B9C8DEF2

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Mtx_init$calloc
String ID:
API String ID: 2545118020-0
Opcode ID: f828f983e790094a28bbb2a708ea9e09a06a1c05030c6f23811644e6675f23a9
Instruction ID: 450e60b68164f596bee30ecf224069f24b7b5a35b54512e0f7755f96487971ef
Opcode Fuzzy Hash: f828f983e790094a28bbb2a708ea9e09a06a1c05030c6f23811644e6675f23a9
Instruction Fuzzy Hash: C921A522F0DA7285F750DF6AA89937436B6AF1B304F440638C74DC72A6EF7CA0449329

Function 00007FF6B9CA3D00 Relevance: 3.1, APIs: 2, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseeki64.LIBCMT ref: 00007FF6B9CA3D68
fgetpos.LIBCMT ref: 00007FF6B9CA3D7D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _fseeki64fgetpos
String ID:
API String ID: 3401907645-0
Opcode ID: 2d07afbde344102b07baddbf295aeba4b69dc366d2f8b588f6cf9893c080d52c
Instruction ID: 2dd3310c387dc60e83e02ddceecdf8a5a81baf3f1e49d7d5b390ab4881bc9e05
Opcode Fuzzy Hash: 2d07afbde344102b07baddbf295aeba4b69dc366d2f8b588f6cf9893c080d52c
Instruction Fuzzy Hash: 95210632A18B45C6EB55AF2AE55836973B4FB48B84F144032DF4CC7769DF38E8A68300

Function 00007FF6B9C84980 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C84C14

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9b44925c02c2e88953423d10a3ad63bf04538ca92b4ab34bcf1bfa73036b6fc8
Instruction ID: 7bb0f1caed98d05d6426d3e959614a4e33b53b0f46dfea44835c3def9557a2bb
Opcode Fuzzy Hash: 9b44925c02c2e88953423d10a3ad63bf04538ca92b4ab34bcf1bfa73036b6fc8
Instruction Fuzzy Hash: 8B915D32604B8185EB24DF69E8883BD37B5F741798F504035EB5D87A99DF39D585C340

Function 00007FF6B9CA8510 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA859D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Xbad_allocstd::_
String ID:
API String ID: 3176948561-0
Opcode ID: b25b15a0a6981202789ae43a53349b1dbe77c2363a8764ac63b19ae5d2016aa1
Instruction ID: d6f1d9cc3909fd2f59b87d91e23ffdb1d7e455bb7b070c5cd4fd6709bc493d86
Opcode Fuzzy Hash: b25b15a0a6981202789ae43a53349b1dbe77c2363a8764ac63b19ae5d2016aa1
Instruction Fuzzy Hash: 5A219E71A09B4642FA249F6D994817866B0AB11BF4F508730DF3D57ADDDF3CD8428344

Function 00007FF6B9CA5E90 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

fclose.LIBCMT ref: 00007FF6B9CA5EC9

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: fclose
String ID:
API String ID: 3125558077-0
Opcode ID: 5a875a415c49c9c20a898516846b72c16f7ad0147206709a1b9ba25a693ae870
Instruction ID: ba61d7fd9643b6c499ef13b463d03698a3803ee4e73590b99e6b574f2a8a7edd
Opcode Fuzzy Hash: 5a875a415c49c9c20a898516846b72c16f7ad0147206709a1b9ba25a693ae870
Instruction Fuzzy Hash: 9621DF32605B8085DB018F39E59039D73B8FB98F88F548126CB8D87768DF39C896C790

Function 00007FF6B9C83730 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF6B9C83785

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d796a6bf9521cb0195dfca69093e4acaf78ed48d890644789f0a43a6fc02fca1
Instruction ID: d6497eaf9b9e0663de67ce1f30d5c70413984cce01e90cdb6a6006e318d42a4d
Opcode Fuzzy Hash: d796a6bf9521cb0195dfca69093e4acaf78ed48d890644789f0a43a6fc02fca1
Instruction Fuzzy Hash: DD011D39F1DA6686FB94DF19A5A53B533B1FB9A344F801135CA0DC7341EE2CD4018A40

Function 00007FF6B9C9D640 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_Mtx_unlock.LIBCPMT ref: 00007FF6B9C9D677

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: d06215beca06562395e28bd098bf8e419738607fef14e18969a7b4fe457cafd1
Instruction ID: c5446e08682a441c975cac0df73ff608b00d79addc643eeba7956acfcd3f0051
Opcode Fuzzy Hash: d06215beca06562395e28bd098bf8e419738607fef14e18969a7b4fe457cafd1
Instruction Fuzzy Hash: F3F01512F0C64682FB55AF6EA5DA0BD21B26F8D354F845535E70DD7287EF2CE8858310

Function 00007FF6B9CB7C2F Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 00007FF6B9CB7C26
malloc.LIBCMT ref: 00007FF6B9CB7C32

Part of subcall function 00007FF6B9CB5C2C: _FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB5C5C
Part of subcall function 00007FF6B9CB5C2C: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CB5C66
Part of subcall function 00007FF6B9CB5C2C: HeapAlloc.KERNEL32(?,?,00000000,00007FF6B9CBAE48,?,?,?,00007FF6B9CB93C0,?,?,?,00007FF6B9CB92BF), ref: 00007FF6B9CB5C81
Part of subcall function 00007FF6B9CB5C2C: _callnewh.LIBCMT ref: 00007FF6B9CB5C9A
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CA5
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CB0

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmalloc
String ID:
API String ID: 3727741168-0
Opcode ID: 6e648e51d8c46801f16917810c9e2fad3662a4875bcee400e5c3c3c9bf6f3398
Instruction ID: f86c0dff3502862a705e0cc4d5349178e96122a1fdd97febc4a9c110f24f9617
Opcode Fuzzy Hash: 6e648e51d8c46801f16917810c9e2fad3662a4875bcee400e5c3c3c9bf6f3398
Instruction Fuzzy Hash: 9AB01281E0630751FC051A15500513430710F44341C0C0834CF0E407C35F1C68914010

Non-executed Functions

Function 00007FF6B9C8E480 Relevance: 180.7, APIs: 2, Strings: 100, Instructions: 2243COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF6B9C8EC5A

Part of subcall function 00007FF6B9CB7BB8: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B9CB7BC6

rand.LIBCMT ref: 00007FF6B9C90C56

Part of subcall function 00007FF6B9C8E1B0: _time64.LIBCMT ref: 00007FF6B9C8E1BB

Strings

Server response: , xrefs: 00007FF6B9C900CF
t, xrefs: 00007FF6B9C90F2D
, 'error_code' = , xrefs: 00007FF6B9C90572
, lastActivationTry: , xrefs: 00007FF6B9C8EEF0
doOnlineCheck start, mode , xrefs: 00007FF6B9C8E55D
FLT, xrefs: 00007FF6B9C8E6DB
Server says license is invalid (E, xrefs: 00007FF6B9C9060E
#OFF, xrefs: 00007FF6B9C8E85A
id:, xrefs: 00007FF6B9C90836
20241006, xrefs: 00007FF6B9C8FDDB
error_code:, xrefs: 00007FF6B9C902F3
FSU, xrefs: 00007FF6B9C8E735
(permanent activation!), xrefs: 00007FF6B9C90CA0
Online check start: lastActivation: , xrefs: 00007FF6B9C8EECB
Product is over the initial grace period of , xrefs: 00007FF6B9C8F24F
': , xrefs: 00007FF6B9C8FEA4
(e: , xrefs: 00007FF6B9C8FC02
//ipa, xrefs: 00007FF6B9C8F57E
|a:1, xrefs: 00007FF6B9C90F95
), so invalidating local license, xrefs: 00007FF6B9C906E2, 00007FF6B9C90721, 00007FF6B9C90760, 00007FF6B9C9079F
days is over, so successfuly online check is immediately necessary, xrefs: 00007FF6B9C8F13B
bytes received, xrefs: 00007FF6B9C8FF24
code:, xrefs: 00007FF6B9C904B3
BTA, xrefs: 00007FF6B9C8E78F
Received a valid response from the server, 'status' = 'ok', 'code' = , xrefs: 00007FF6B9C9064E, 00007FF6B9C90671
ps:, xrefs: 00007FF6B9C8F56A
v1/, xrefs: 00007FF6B9C8F39C
Product has not been activated, doing online check, xrefs: 00007FF6B9C8F1F5
Server says license is invalid (L, xrefs: 00007FF6B9C90742, 00007FF6B9C909BD
c, xrefs: 00007FF6B9C903C1
Online check send data for ', xrefs: 00007FF6B9C8FE81
, 'license_status' = , xrefs: 00007FF6B9C90691
doOnlineCheck: invalid license, skipping online check, xrefs: 00007FF6B9C8EB89
|d:, xrefs: 00007FF6B9C8F80D, 00007FF6B9C90B4D, 00007FF6B9C90E3C
1.0.0|||||, xrefs: 00007FF6B9C8FA74
_status:, xrefs: 00007FF6B9C903D5
|a:, xrefs: 00007FF6B9C90AB7, 00007FF6B9C90D4B
Invalid response from server for deactivation, xrefs: 00007FF6B9C907EF
aescripts-license-fw/, xrefs: 00007FF6B9C8FDF0
days ago, grace period of , xrefs: 00007FF6B9C8F125
Using online check URL: , xrefs: 00007FF6B9C8F772
aescripts, xrefs: 00007FF6B9C8F409
Product has been successfully activated before and is still in allowed period of , xrefs: 00007FF6B9C8F144
Product has not been activated, but online check already done today, xrefs: 00007FF6B9C8F20B
days, xrefs: 00007FF6B9C8F15C, 00007FF6B9C8F198
Online check disabled - return, xrefs: 00007FF6B9C9108E
sending device ID , xrefs: 00007FF6B9C8FBE4
Product has been successfully activated before, but more than , xrefs: 00007FF6B9C8F0DC, 00007FF6B9C8F10B
days, so no further online check is necessary at the moment, xrefs: 00007FF6B9C8F0CB
Online check end, xrefs: 00007FF6B9C91063
Server says missing device ID (E, xrefs: 00007FF6B9C905F0
Updating local license (lastActivationTryTimestamp only) with , xrefs: 00007FF6B9C90A55
TLC, xrefs: 00007FF6B9C8FA5F
doOnlineCheck: invalid license (trial license), skipping online check, xrefs: 00007FF6B9C8E5C9
activate, xrefs: 00007FF6B9C8E52B, 00007FF6B9C8F6E0
Server says license is expired (L, xrefs: 00007FF6B9C906C4
Server says deactivation successful, xrefs: 00007FF6B9C907C7
Server did not respond or came back with an invalid response, xrefs: 00007FF6B9C90536
Invalidating local license, xrefs: 00007FF6B9C90EFD
Product has been successfully activated more than 4 times - skipping online check in future, xrefs: 00007FF6B9C8ECAB
Server sent device_id , xrefs: 00007FF6B9C90986
Online check return code of web request: , xrefs: 00007FF6B9C8FEDD
WARNING: Server response is not encrypted - tolerated for now, but should be changed to an ecrypted text!, xrefs: 00007FF6B9C90093
&device_id=, xrefs: 00007FF6B9C8FB9F
and initializing lastActivationTimestamp, xrefs: 00007FF6B9C90A47
Updating local license (lastActivationTryTimestamp) with , xrefs: 00007FF6B9C90A2E
deactivate, xrefs: 00007FF6B9C8E549
Server says record not found (E, xrefs: 00007FF6B9C905CD
result:, xrefs: 00007FF6B9C903F0
Updating local license (lastActivationTryTimestamp and lastActivationTimestamp) with , xrefs: 00007FF6B9C90C80, 00007FF6B9C90CAE
p, xrefs: 00007FF6B9C8FE67
days, enforcing activation, xrefs: 00007FF6B9C8F26F
&lic=, xrefs: 00007FF6B9C8FCC4
Server says payload is invalid (E, xrefs: 00007FF6B9C905AA
error:, xrefs: 00007FF6B9C902DC, 00007FF6B9C90455
1.0.0, xrefs: 00007FF6B9C90F58
doOnlineCheck: product is permanently activated - skipping online check, xrefs: 00007FF6B9C8EBAD
days) - activation step #, xrefs: 00007FF6B9C8F029
Server says license is over activation limit (L, xrefs: 00007FF6B9C90703
Received a valid response from the server, 'status' = 'error', 'code' = , xrefs: 00007FF6B9C90552
days ago, so starting new grace period of , xrefs: 00007FF6B9C8F0F7
Next required successful online activation check in , xrefs: 00007FF6B9C8F173
ESB, xrefs: 00007FF6B9C8EE85, 00007FF6B9C90C37
doOnlineCheck: license type not suited for online check (FLT/FSU/BTA/#OFF), skipping online check, xrefs: 00007FF6B9C8E8FC
Product requires an immediate successful online activation!, xrefs: 00007FF6B9C8EF7B
&mode=, xrefs: 00007FF6B9C8FC7C
SUB, xrefs: 00007FF6B9C8EE2F, 00007FF6B9C90C1F
days (currently , xrefs: 00007FF6B9C8F010
Server says license is valid, xrefs: 00007FF6B9C9081A
Trigger for , xrefs: 00007FF6B9C8EF38
Server did not respond or came back with an invalid response, but activation is enforced, so invalidating local license, xrefs: 00007FF6B9C90642
|o:, xrefs: 00007FF6B9C90AA2, 00007FF6B9C90D36
Server says subscription is invalid (L, xrefs: 00007FF6B9C90781
com/api/, xrefs: 00007FF6B9C8F36C
Product needs activation, as it it over the activation interval of , xrefs: 00007FF6B9C8EFEF
WARNING: no local device ID found to send to server for deactivation!, xrefs: 00007FF6B9C8FC59
activation of this product, xrefs: 00007FF6B9C8EF59
Product has been successfully activated within the last , xrefs: 00007FF6B9C8F0B3
license, xrefs: 00007FF6B9C8F619
&p=, xrefs: 00007FF6B9C8F9AB

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Time_time64$FileSystemrand
String ID: (e: $ (permanent activation!)$ and initializing lastActivationTimestamp$ bytes received$ days$ days (currently $ days ago, grace period of $ days ago, so starting new grace period of $ days is over, so successfuly online check is immediately necessary$ days) - activation step #$ days, enforcing activation$ days, so no further online check is necessary at the moment$#OFF$&device_id=$&lic=$&mode=$&p=$': $), so invalidating local license$, 'error_code' = $, 'license_status' = $, lastActivationTry: $//ipa$1.0.0$1.0.0|||||$20241006$BTA$ESB$FLT$FSU$Invalid response from server for deactivation$Invalidating local license$Next required successful online activation check in $Online check disabled - return$Online check end$Online check return code of web request: $Online check send data for '$Online check start: lastActivation: $Product has been successfully activated before and is still in allowed period of $Product has been successfully activated before, but more than $Product has been successfully activated more than 4 times - skipping online check in future$Product has been successfully activated within the last $Product has not been activated, but online check already done today$Product has not been activated, doing online check$Product is over the initial grace period of $Product needs activation, as it it over the activation interval of $Product requires an immediate successful online activation!$Received a valid response from the server, 'status' = 'error', 'code' = $Received a valid response from the server, 'status' = 'ok', 'code' = $SUB$Server did not respond or came back with an invalid response$Server did not respond or came back with an invalid response, but activation is enforced, so invalidating local license$Server response: $Server says deactivation successful$Server says license is expired (L$Server says license is invalid (E$Server says license is invalid (L$Server says license is over activation limit (L$Server says license is valid$Server says missing device ID (E$Server says payload is invalid (E$Server says record not found (E$Server says subscription is invalid (L$Server sent device_id $TLC$Trigger for $Updating local license (lastActivationTryTimestamp and lastActivationTimestamp) with $Updating local license (lastActivationTryTimestamp only) with $Updating local license (lastActivationTryTimestamp) with $Using online check URL: $WARNING: Server response is not encrypted - tolerated for now, but should be changed to an ecrypted text!$WARNING: no local device ID found to send to server for deactivation!$_status:$activate$activation of this product$aescripts$aescripts-license-fw/$c$code:$com/api/$deactivate$doOnlineCheck start, mode $doOnlineCheck: invalid license (trial license), skipping online check$doOnlineCheck: invalid license, skipping online check$doOnlineCheck: license type not suited for online check (FLT/FSU/BTA/#OFF), skipping online check$doOnlineCheck: product is permanently activated - skipping online check$error:$error_code:$id:$license$p$ps:$result:$sending device ID $t$v1/$|a:$|a:1$|d:$|o:
API String ID: 2872900303-3171066617
Opcode ID: cde1f9f71d052a22059f2b192bdd61bd95ecc560b8be3e69d30f7cb304b23565
Instruction ID: 209d80211ac1a9d1942d681fe06a8e7cf9eb26295beda45eb7c68b2e262012bf
Opcode Fuzzy Hash: cde1f9f71d052a22059f2b192bdd61bd95ecc560b8be3e69d30f7cb304b23565
Instruction Fuzzy Hash: 37339231A0CAC691EA60EF18E8993FA6771EB81394F805235D74DC7AEADF2CD549C740

Function 00007FF6B9CDCB44 Relevance: 180.6, APIs: 85, Strings: 18, Instructions: 371libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCB63
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCB73
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCB94
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCBA4
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCBC5
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCBD5
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCBF6
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCC06
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCC27
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCC37
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCC58
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCC68
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCC89
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCC99
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCCBA
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCCCA
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCCEB
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCCFB
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCD1C
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCD2C
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCD4D
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCD5D
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCD7E
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCD8E
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCDAF
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCDBF
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCDE0
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCDF0
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCE11
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCE21
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCE42
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCE52
GetModuleHandleW.KERNEL32 ref: 00007FF6B9CDCE73
GetProcAddress.KERNEL32 ref: 00007FF6B9CDCE83
GetLastError.KERNEL32 ref: 00007FF6B9CDCEBD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCED6
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCEE7
GetLastError.KERNEL32 ref: 00007FF6B9CDCEED
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCF05
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCF15
GetLastError.KERNEL32 ref: 00007FF6B9CDCF1B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCF33
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCF43
GetLastError.KERNEL32 ref: 00007FF6B9CDCF49
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCF64
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCF77
GetLastError.KERNEL32 ref: 00007FF6B9CDCF7D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCF95
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCFA5
GetLastError.KERNEL32 ref: 00007FF6B9CDCFAB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCFC6
_CxxThrowException.LIBCMT ref: 00007FF6B9CDCFD9
GetLastError.KERNEL32 ref: 00007FF6B9CDCFDF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDCFF7
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD007
GetLastError.KERNEL32 ref: 00007FF6B9CDD00D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD028
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD03B
GetLastError.KERNEL32 ref: 00007FF6B9CDD041
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD05A
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD06B
GetLastError.KERNEL32 ref: 00007FF6B9CDD071
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD08A
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD09B
GetLastError.KERNEL32 ref: 00007FF6B9CDD0A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD0B9
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD0C9
GetLastError.KERNEL32 ref: 00007FF6B9CDD0CF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD0E7
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD0F7
GetLastError.KERNEL32 ref: 00007FF6B9CDD0FD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD115
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD125
GetLastError.KERNEL32 ref: 00007FF6B9CDD12B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD143
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD153
GetLastError.KERNEL32 ref: 00007FF6B9CDD159
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD174
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD187
GetLastError.KERNEL32 ref: 00007FF6B9CDD18D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD1A8
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD1BB
GetLastError.KERNEL32 ref: 00007FF6B9CDD1C1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CDD1DC
_CxxThrowException.LIBCMT ref: 00007FF6B9CDD1EF

Strings

CreateUmsCompletionList, xrefs: 00007FF6B9CDCB9A
QueryUmsThreadInformation, xrefs: 00007FF6B9CDCDE6
kernel32.dll, xrefs: 00007FF6B9CDCB59
SetUmsThreadInformation, xrefs: 00007FF6B9CDCE17
ExecuteUmsThread, xrefs: 00007FF6B9CDCCF1
DeleteUmsThreadContext, xrefs: 00007FF6B9CDCC5E
InitializeProcThreadAttributeList, xrefs: 00007FF6B9CDCDB5
DeleteProcThreadAttributeList, xrefs: 00007FF6B9CDCBFC
DeleteUmsCompletionList, xrefs: 00007FF6B9CDCC2D
EnterUmsSchedulingMode, xrefs: 00007FF6B9CDCCC0
CreateUmsThreadContext, xrefs: 00007FF6B9CDCBCB
UmsThreadYield, xrefs: 00007FF6B9CDCE48
GetNextUmsListItem, xrefs: 00007FF6B9CDCD53
DequeueUmsCompletionListItems, xrefs: 00007FF6B9CDCC8F
UpdateProcThreadAttribute, xrefs: 00007FF6B9CDCE79
GetUmsCompletionListEvent, xrefs: 00007FF6B9CDCD84
CreateRemoteThreadEx, xrefs: 00007FF6B9CDCB69
GetCurrentUmsThread, xrefs: 00007FF6B9CDCD22

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionHandleLastModuleProcThrow
String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
API String ID: 1942842289-2643937717
Opcode ID: 2beddd28d9a71738a41f93e85f78c5167e4941fd89a7b66c7690ebcdfcd8415d
Instruction ID: fe73f574a94d9899fdf8bd99d800450c867530e9db2b164022deddfa8c521738
Opcode Fuzzy Hash: 2beddd28d9a71738a41f93e85f78c5167e4941fd89a7b66c7690ebcdfcd8415d
Instruction Fuzzy Hash: 99022921E09A5785FF04EF6AA91C2B822F1BF89788F849535D60DC7295EF3DE109C394

Function 00007FF6B9C9FB3E Relevance: 55.9, Strings: 44, Instructions: 905COMMON

Download Yara Rule

Strings

t, xrefs: 00007FF6B9C9FE2F
status: floating licenses can only be used with the floating license server, xrefs: 00007FF6B9CA02D8
1.0.0, xrefs: 00007FF6B9C9FDD0, 00007FF6B9C9FF61
J, xrefs: 00007FF6B9CA0671
, xrefs: 00007FF6B9CA03B8
local license deactivated, xrefs: 00007FF6B9C9FEF9
result: , xrefs: 00007FF6B9CA0080, 00007FF6B9CA02A9, 00007FF6B9CA05B5
to , xrefs: 00007FF6B9CA0775
content, xrefs: 00007FF6B9C9FB75
loading license directly (*, xrefs: 00007FF6B9CA0461
l, xrefs: 00007FF6B9CA070F
ESB, xrefs: 00007FF6B9CA069A
_RENDER_ONLY, xrefs: 00007FF6B9C9FFF8, 00007FF6B9CA000E
a_succ: , xrefs: 00007FF6B9CA061D
, xrefs: 00007FF6B9CA04BB
remote license lease dropped, xrefs: 00007FF6B9C9FE14
a_try: , xrefs: 00007FF6B9CA05E1
-, xrefs: 00007FF6B9CA04AE
-, xrefs: 00007FF6B9C9FE3B
DATA*, xrefs: 00007FF6B9CA03FB
valid, xrefs: 00007FF6B9CA0701
FLT, xrefs: 00007FF6B9C9FD14, 00007FF6B9CA023C
(limited license period from , xrefs: 00007FF6B9CA0761
D, xrefs: 00007FF6B9CA04D7
a_next: , xrefs: 00007FF6B9CA06BF
serial: ', xrefs: 00007FF6B9CA0B75
SUB, xrefs: 00007FF6B9CA0683
license type: ', xrefs: 00007FF6B9CA0AE8
-content, xrefs: 00007FF6B9C9FB5A, 00007FF6B9C9FC1E
invalid, xrefs: 00007FF6B9CA06E5
license end: ', xrefs: 00007FF6B9CA019B, 00007FF6B9CA0C64
first name: ', xrefs: 00007FF6B9CA0A5F
product ID: ', xrefs: 00007FF6B9CA0B16
number of user licenses: , xrefs: 00007FF6B9CA0ABB
S, xrefs: 00007FF6B9CA04C8
license start: ', xrefs: 00007FF6B9CA016A, 00007FF6B9CA0C33
FILE*, xrefs: 00007FF6B9CA03BE
last name: ', xrefs: 00007FF6B9CA0A8D
WARNING: invalid machine ID - there was a problem reading your network adapter data!, xrefs: 00007FF6B9CA0CE3
:, xrefs: 00007FF6B9CA04A1
FSU, xrefs: 00007FF6B9C9FCE7, 00007FF6B9CA0283
product version: ', xrefs: 00007FF6B9CA0B44
writing new license to file, xrefs: 00007FF6B9CA030D
status: , xrefs: 00007FF6B9CA00B6, 00007FF6B9CA0A26

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: AttributesFile
String ID: (limited license period from $ to $-$-content$1.0.0$DATA*$ESB$FILE*$FLT$FSU$SUB$WARNING: invalid machine ID - there was a problem reading your network adapter data!$_RENDER_ONLY$a_next: $a_succ: $a_try: $content$first name: '$invalid$last name: '$license end: '$license start: '$license type: '$loading license directly (*$local license deactivated$number of user licenses: $product ID: '$product version: '$remote license lease dropped$result: $serial: '$status: $status: floating licenses can only be used with the floating license server$t$valid$writing new license to file$ $-$:$D$J$S$l$
API String ID: 3188754299-916615497
Opcode ID: 23220f13062f759fb2fd56c97aef39f2f3706d3a5e1f4664fef1b26a48c8f5ea
Instruction ID: 6a86566d32edfda3387f2f49af7eed8e232f2230f7cdbb70d1afce663995eb9f
Opcode Fuzzy Hash: 23220f13062f759fb2fd56c97aef39f2f3706d3a5e1f4664fef1b26a48c8f5ea
Instruction Fuzzy Hash: 96923361A5998694EB61EF28DC593F92370EF55388F805432D70EDB6AEEF2CD608C344

Function 00007FF6B9C8A740 Relevance: 39.3, APIs: 14, Strings: 8, Instructions: 764networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FF6B9C8AF02
InternetSetOptionA.WININET ref: 00007FF6B9C8AF2C
InternetSetOptionA.WININET ref: 00007FF6B9C8AF44
InternetSetOptionA.WININET ref: 00007FF6B9C8AF5C
InternetConnectA.WININET ref: 00007FF6B9C8B0AA
HttpOpenRequestA.WININET ref: 00007FF6B9C8B113
HttpSendRequestA.WININET ref: 00007FF6B9C8B4D3
HttpQueryInfoA.WININET ref: 00007FF6B9C8B4FC
InternetReadFile.WININET ref: 00007FF6B9C8B534
GetLastError.KERNEL32 ref: 00007FF6B9C8B5C0
HttpQueryInfoA.WININET ref: 00007FF6B9C8B5E3
InternetCloseHandle.WININET ref: 00007FF6B9C8B686
InternetCloseHandle.WININET ref: 00007FF6B9C8B694
InternetCloseHandle.WININET ref: 00007FF6B9C8B6A2

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00007FF6B9C8B146
Content-Type, xrefs: 00007FF6B9C8B182
t, xrefs: 00007FF6B9C8AA44
GET, xrefs: 00007FF6B9C8B0EA
https://, xrefs: 00007FF6B9C8AA8D, 00007FF6B9C8AB0F
Mozilla/5.0 (Compatible), xrefs: 00007FF6B9C8AEC4
http://, xrefs: 00007FF6B9C8AC4B
POST, xrefs: 00007FF6B9C8B0E3

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Internet$Http$CloseHandleOption$InfoOpenQueryRequest$ConnectErrorFileLastReadSend
String ID: Content-Type$Content-Type: application/x-www-form-urlencoded$GET$Mozilla/5.0 (Compatible)$POST$http://$https://$t
API String ID: 1486255883-1336110008
Opcode ID: ba58e2f75b416f112594b53a6ae6878838e6ba7699d92f3cd6147f220f0cb922
Instruction ID: 78aa6e60e642319ff34d727dcc44a3819b472010d845ae8bbed50e030d7812c1
Opcode Fuzzy Hash: ba58e2f75b416f112594b53a6ae6878838e6ba7699d92f3cd6147f220f0cb922
Instruction Fuzzy Hash: FA82F63261CAC681EB319F29E4987EAA3B1FB85744F804135D78D87A9ADF7DD548CB00

Function 00007FF6B9CD1450 Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CD14B1

Part of subcall function 00007FF6B9CB5D80: _getptd.LIBCMT ref: 00007FF6B9CB5D96
Part of subcall function 00007FF6B9CB5D80: __updatetlocinfo.LIBCMT ref: 00007FF6B9CB5DCB
Part of subcall function 00007FF6B9CB5D80: __updatetmbcinfo.LIBCMT ref: 00007FF6B9CB5DF2

_errno.LIBCMT ref: 00007FF6B9CD14B6

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

_fileno.LIBCMT ref: 00007FF6B9CD14E3

Part of subcall function 00007FF6B9CBD528: _errno.LIBCMT ref: 00007FF6B9CBD531
Part of subcall function 00007FF6B9CBD528: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CBD53C

write_multi_char.LIBCMT ref: 00007FF6B9CD1B1F
write_string.LIBCMT ref: 00007FF6B9CD1B3C
write_multi_char.LIBCMT ref: 00007FF6B9CD1B59
write_string.LIBCMT ref: 00007FF6B9CD1BB8
write_string.LIBCMT ref: 00007FF6B9CD1BEF
write_multi_char.LIBCMT ref: 00007FF6B9CD1C11
free.LIBCMT ref: 00007FF6B9CD1C25
_isleadbyte_l.LIBCMT ref: 00007FF6B9CD1CF6
write_char.LIBCMT ref: 00007FF6B9CD1D0C
write_char.LIBCMT ref: 00007FF6B9CD1D2D
_errno.LIBCMT ref: 00007FF6B9CD1E30
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD1E3B

Strings

, xrefs: 00007FF6B9CD1AF3
@, xrefs: 00007FF6B9CD14CF

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 88c9b5e4abb27927cb064ca53120f5ed29995979e43e2f8379dfcc59aa9e6c90
Instruction ID: d63625c10d67fbf16f2a1046c03dfcd5ff4f6ab7fb29b6bc9549d2f07c0b802f
Opcode Fuzzy Hash: 88c9b5e4abb27927cb064ca53120f5ed29995979e43e2f8379dfcc59aa9e6c90
Instruction Fuzzy Hash: C752D062ACC68686FB6C8E5D954C37E6AB1BF81784F14A135DB4E867D4DF3CE9408B00

Function 00007FF6B9CBDBB4 Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CBDC15

Part of subcall function 00007FF6B9CB5D80: _getptd.LIBCMT ref: 00007FF6B9CB5D96
Part of subcall function 00007FF6B9CB5D80: __updatetlocinfo.LIBCMT ref: 00007FF6B9CB5DCB
Part of subcall function 00007FF6B9CB5D80: __updatetmbcinfo.LIBCMT ref: 00007FF6B9CB5DF2

_errno.LIBCMT ref: 00007FF6B9CBDC1A

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

_fileno.LIBCMT ref: 00007FF6B9CBDC47

Part of subcall function 00007FF6B9CBD528: _errno.LIBCMT ref: 00007FF6B9CBD531
Part of subcall function 00007FF6B9CBD528: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CBD53C

write_multi_char.LIBCMT ref: 00007FF6B9CBE277
write_string.LIBCMT ref: 00007FF6B9CBE294
write_multi_char.LIBCMT ref: 00007FF6B9CBE2B1
write_string.LIBCMT ref: 00007FF6B9CBE310
write_string.LIBCMT ref: 00007FF6B9CBE347
write_multi_char.LIBCMT ref: 00007FF6B9CBE369
free.LIBCMT ref: 00007FF6B9CBE37D
_isleadbyte_l.LIBCMT ref: 00007FF6B9CBE44E
write_char.LIBCMT ref: 00007FF6B9CBE464
write_char.LIBCMT ref: 00007FF6B9CBE485
_errno.LIBCMT ref: 00007FF6B9CBE57F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CBE58A

Strings

, xrefs: 00007FF6B9CBE24B
%li.%li.%li.%li, xrefs: 00007FF6B9CBDBBB

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $%li.%li.%li.%li
API String ID: 3318157856-2495504251
Opcode ID: 53a93e026cdb33f0ba4079394c99ec866ed19bb3243859ba2758b9384a7bb7d4
Instruction ID: a90092102fb5a956d69a41f2162fa80b44496f7ab700b529e1b652468a8ded9a
Opcode Fuzzy Hash: 53a93e026cdb33f0ba4079394c99ec866ed19bb3243859ba2758b9384a7bb7d4
Instruction Fuzzy Hash: 47529962A0C69A86FB648F5D94482BE7FB0BF45B84F641035DB4E87695DF3CE8408B81

Function 00007FF6B9C854A0 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 574timesleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9C85190: SHGetFolderPathA.SHELL32 ref: 00007FF6B9C85250

SetFileAttributesA.KERNEL32 ref: 00007FF6B9C85552
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C85901
_time64.LIBCMT ref: 00007FF6B9C85911
Sleep.KERNEL32 ref: 00007FF6B9C85930
_time64.LIBCMT ref: 00007FF6B9C85967
_time64.LIBCMT ref: 00007FF6B9C85988
_time64.LIBCMT ref: 00007FF6B9C8599E
rand.LIBCMT ref: 00007FF6B9C85B3A
rand.LIBCMT ref: 00007FF6B9C85B66
SetFileAttributesA.KERNEL32 ref: 00007FF6B9C85DAD
GetSystemTime.KERNEL32 ref: 00007FF6B9C85DBA
rand.LIBCMT ref: 00007FF6B9C85DC0
SystemTimeToFileTime.KERNEL32 ref: 00007FF6B9C85E06
CreateFileA.KERNEL32 ref: 00007FF6B9C85E44
SetFileTime.KERNEL32 ref: 00007FF6B9C85E5F
CloseHandle.KERNEL32 ref: 00007FF6B9C85E68
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C85EE7

Part of subcall function 00007FF6B9CA8510: std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA859D

Strings

gfff, xrefs: 00007FF6B9C85DC8
string too long, xrefs: 00007FF6B9C85C43, 00007FF6B9C85C50

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: File$Time_time64$rand$AttributesIos_base_dtorSystemstd::ios_base::_$CloseCreateFolderHandlePathSleepXbad_allocstd::_
String ID: gfff$string too long
API String ID: 438800184-2250279893
Opcode ID: f48570b9438044147d6169b71e2f6c8697e3a89a47b065e7cdbbb993b120ddd2
Instruction ID: 1da321cd4495f9aa3bab1f3b3c265f34c5cffe647424b5ce7e30cbbc92aff34f
Opcode Fuzzy Hash: f48570b9438044147d6169b71e2f6c8697e3a89a47b065e7cdbbb993b120ddd2
Instruction Fuzzy Hash: 34526E32615AC299EB749F38C8983FD2371EB45758F804236DB5D8AAEADF78D645C300

Function 00007FF6B9C9A594 Relevance: 28.5, APIs: 4, Strings: 12, Instructions: 543COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9C8E1B0: _time64.LIBCMT ref: 00007FF6B9C8E1BB

_errno.LIBCMT ref: 00007FF6B9C9ACE1
_errno.LIBCMT ref: 00007FF6B9C9AD90
_errno.LIBCMT ref: 00007FF6B9C9B009
_errno.LIBCMT ref: 00007FF6B9C9B0BA

Strings

l, xrefs: 00007FF6B9C9A7AE
writing , xrefs: 00007FF6B9C9AEA0, 00007FF6B9C9B14F
FAIL (, xrefs: 00007FF6B9C9AE4B, 00007FF6B9C9B10B
new license data: trial license, xrefs: 00007FF6B9C9ACB4
(b, xrefs: 00007FF6B9C9AC73
new license data: , xrefs: 00007FF6B9C9ACBD
FSU, xrefs: 00007FF6B9C9A615
FLT, xrefs: 00007FF6B9C9A5B9
bytes to file , xrefs: 00007FF6B9C9AEC3, 00007FF6B9C9B187
Ub, xrefs: 00007FF6B9C9AC46
0, xrefs: 00007FF6B9C9AE60
@REMOTE, xrefs: 00007FF6B9C9A802

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errno$_time64
String ID: bytes to file $0$@REMOTE$FAIL ($FLT$FSU$new license data: $new license data: trial license$writing $l$(b$Ub
API String ID: 318442946-2718888663
Opcode ID: 739bf9cde98539b27dd7aab6cdb8468f82ea2c960eaeb0d63c31873315eaf0dc
Instruction ID: b4f24548d90bfb7e96b763601c664bc031be4d46f88b3b0656106d1f542fe9fb
Opcode Fuzzy Hash: 739bf9cde98539b27dd7aab6cdb8468f82ea2c960eaeb0d63c31873315eaf0dc
Instruction Fuzzy Hash: E4426E62A1DAC691EB31DF18E4593EEA771FB81788F805131D78D87AAADF2CD544CB00

Function 00007FF6B9C95050 Relevance: 23.8, APIs: 5, Strings: 8, Instructions: 1078COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF6B9C950A1

Part of subcall function 00007FF6B9CB7BB8: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B9CB7BC6

Part of subcall function 00007FF6B9CB728C: _getptd.LIBCMT ref: 00007FF6B9CB7294

rand.LIBCMT ref: 00007FF6B9C95B16
_time64.LIBCMT ref: 00007FF6B9C95B97

Strings

1.0.0, xrefs: 00007FF6B9C950BE
_RENDER_ONLY, xrefs: 00007FF6B9C9532D, 00007FF6B9C954A8, 00007FF6B9C957CB
FLT, xrefs: 00007FF6B9C95B0A
FSU, xrefs: 00007FF6B9C96471
FLT, xrefs: 00007FF6B9C96445
gfff, xrefs: 00007FF6B9C96268
gfff, xrefs: 00007FF6B9C95B9F
@REMOTE, xrefs: 00007FF6B9C9525D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Time_time64$FileSystem_getptdrand
String ID: 1.0.0$@REMOTE$FLT$FLT$FSU$_RENDER_ONLY$gfff$gfff
API String ID: 2056829080-791714639
Opcode ID: fb20300fa841780d844b4cdcaf53c710758ea8605ded05741403712cfa48ef4a
Instruction ID: 5d0bfa8a0352dffe65717783544ea6468be5bdce2e0e9605c4772674aa520f0c
Opcode Fuzzy Hash: fb20300fa841780d844b4cdcaf53c710758ea8605ded05741403712cfa48ef4a
Instruction Fuzzy Hash: 17B22A2251CAC681EB719F28E4587EAB771EB81384F504135DB8D86AEBDF7CD489CB01

Function 00007FF6B9C96F32 Relevance: 19.2, Strings: 14, Instructions: 1678COMMON

Download Yara Rule

Strings

000000000000, xrefs: 00007FF6B9C97D7C
|o:, xrefs: 00007FF6B9C98851
trial license found (no valid license data), xrefs: 00007FF6B9C982EE
|d:, xrefs: 00007FF6B9C98A1F
license data: , xrefs: 00007FF6B9C98304
no matching machine ID found!, xrefs: 00007FF6B9C97F19
LICS*, xrefs: 00007FF6B9C9796D, 00007FF6B9C97F77, 00007FF6B9C980DA
*****, xrefs: 00007FF6B9C96F5B
|a:, xrefs: 00007FF6B9C988D9
_RENDER_ONLY, xrefs: 00007FF6B9C990C6, 00007FF6B9C990DE
DATA*, xrefs: 00007FF6B9C9807B
acde48001122, xrefs: 00007FF6B9C97DD6
TLC, xrefs: 00007FF6B9C98EF9
@REMOTE, xrefs: 00007FF6B9C98018, 00007FF6B9C98622, 00007FF6B9C9870E, 00007FF6B9C98BF5, 00007FF6B9C98FAD

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: *****$000000000000$@REMOTE$DATA*$LICS*$TLC$_RENDER_ONLY$acde48001122$license data: $no matching machine ID found!$trial license found (no valid license data)$|a:$|d:$|o:
API String ID: 0-3095003553
Opcode ID: de3f80668324199a0d3f2da254c2847f7feaa850a721e293a55ce2a3d2de6680
Instruction ID: 658c30bb272d43e6fcd31add3e348e0e969feff248ce1771eae07439033ca5cd
Opcode Fuzzy Hash: de3f80668324199a0d3f2da254c2847f7feaa850a721e293a55ce2a3d2de6680
Instruction Fuzzy Hash: 1C03602261D6C695EB319F28E4983FAA771FB95788F805132D78D87A9BDF2CD504CB00

Function 00007FF6B9C93470 Relevance: 16.5, APIs: 1, Strings: 8, Instructions: 790COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9C91EE0: SHGetFolderPathA.SHELL32 ref: 00007FF6B9C91FC2
Part of subcall function 00007FF6B9C91EE0: remove.LIBCMT ref: 00007FF6B9C92080
Part of subcall function 00007FF6B9C91EE0: remove.LIBCMT ref: 00007FF6B9C920AD

_wgetenv.LIBCMT ref: 00007FF6B9C93E26

Part of subcall function 00007FF6B9CB7A0C: _errno.LIBCMT ref: 00007FF6B9CB7A21
Part of subcall function 00007FF6B9CB7A0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CB7A2C

Strings

<key>, xrefs: 00007FF6B9C93759
LicensingServer_Port, xrefs: 00007FF6B9C93B89
LicensingBackupServer_Port, xrefs: 00007FF6B9C93BFF
</string>, xrefs: 00007FF6B9C93775
27100, xrefs: 00007FF6B9C93C61
aescriptsLicensingServer, xrefs: 00007FF6B9C9357A, 00007FF6B9C935F3, 00007FF6B9C93E1F, 00007FF6B9C93ED9
LicensingServer_Address, xrefs: 00007FF6B9C93B49
LicensingBackupServer_Address, xrefs: 00007FF6B9C93BC6

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: remove$FolderPath_errno_invalid_parameter_noinfo_wgetenv
String ID: 27100$</string>$<key>$LicensingBackupServer_Address$LicensingBackupServer_Port$LicensingServer_Address$LicensingServer_Port$aescriptsLicensingServer
API String ID: 2317211808-1479187049
Opcode ID: 411b386f009fd4ea07bcd56b4c65bfa66c3fa2465820cf6a174a641641dffbc7
Instruction ID: 800fffda549bd81e70535f6ceff215f541e79aa31bb1e6d7d6c96e002eefe7f6
Opcode Fuzzy Hash: 411b386f009fd4ea07bcd56b4c65bfa66c3fa2465820cf6a174a641641dffbc7
Instruction Fuzzy Hash: 18726E22608B8689FB11DF69D4983ED3B71FB81388F504035EB4D9BA9ADF39D589C740

Function 00007FF6B9C84030 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF6B9C840A8
GetAdaptersInfo.IPHLPAPI ref: 00007FF6B9C840BD
free.LIBCMT ref: 00007FF6B9C840CB
malloc.LIBCMT ref: 00007FF6B9C840D4
GetAdaptersInfo.IPHLPAPI ref: 00007FF6B9C840E9
free.LIBCMT ref: 00007FF6B9C840F6
sprintf.LIBCMT ref: 00007FF6B9C84373
free.LIBCMT ref: 00007FF6B9C84635

Strings

%li.%li.%li.%li, xrefs: 00007FF6B9C84368

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: free$AdaptersInfomalloc$sprintf
String ID: %li.%li.%li.%li
API String ID: 3176089250-1731176481
Opcode ID: d10cdf357ab2bc3959a5a3fc129a597d6f23535822cbe3174e1f630efbb2aa6d
Instruction ID: bfe084ac9eada76ae6833f677a45fa62efd62138f05828340735258b5d687b1a
Opcode Fuzzy Hash: d10cdf357ab2bc3959a5a3fc129a597d6f23535822cbe3174e1f630efbb2aa6d
Instruction Fuzzy Hash: E6125A32A18A9589EB14CF68E8883BD3BB1FB45798F540235EB5E97AD9DF38D444C340

Function 00007FF6B9C839F0 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 373windownetworkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 00007FF6B9C83A4A
getaddrinfo.WS2_32 ref: 00007FF6B9C83EA9
FormatMessageA.KERNEL32 ref: 00007FF6B9C83EE2
inet_ntop.WS2_32 ref: 00007FF6B9C83F80
freeaddrinfo.WS2_32 ref: 00007FF6B9C83FF9

Strings

.localdomain, xrefs: 00007FF6B9C83CDE
getaddrinfo error , xrefs: 00007FF6B9C83EE8
.local, xrefs: 00007FF6B9C83DBE

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: FormatMessagefreeaddrinfogetaddrinfogethostnameinet_ntop
String ID: .local$.localdomain$getaddrinfo error
API String ID: 1835220482-1587782278
Opcode ID: 0d3869f166b1bdac87fcd9c7cadc5d42e38a32cd38cc797aa963cfdd30f5da21
Instruction ID: 9e654c14f36304d95d7216a0c2991abe28938f3402f44d85aea910713ff71f24
Opcode Fuzzy Hash: 0d3869f166b1bdac87fcd9c7cadc5d42e38a32cd38cc797aa963cfdd30f5da21
Instruction Fuzzy Hash: 01025932A18A928AEB00DF79E8883AD37B1FB41798F501235EB5D97AD9DF78D544C340

Function 00007FF6B9C965D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 314COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF6B9C9672A

Strings

1.0.0, xrefs: 00007FF6B9C9670E, 00007FF6B9C96748
_RENDER_ONLY, xrefs: 00007FF6B9C969C2, 00007FF6B9C96A69
K, xrefs: 00007FF6B9C96690
FLT, xrefs: 00007FF6B9C96869
TLC, xrefs: 00007FF6B9C9689C
@REMOTE, xrefs: 00007FF6B9C96696, 00007FF6B9C96ABD

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _time64
String ID: 1.0.0$@REMOTE$FLT$TLC$_RENDER_ONLY$K
API String ID: 1670930206-2998733053
Opcode ID: 6a2d34c6ceb55a6fa653833b9ca4c061a6abb3f4207e8aff040eca89f61d54ab
Instruction ID: e5c1d197cd039864183148f0a40c01d159a27eb06e4a3f185ce86aca2530813a
Opcode Fuzzy Hash: 6a2d34c6ceb55a6fa653833b9ca4c061a6abb3f4207e8aff040eca89f61d54ab
Instruction Fuzzy Hash: 26F13A22A18A9189FB11DF78D4483ED3BB1EB4535CF504136EB4D96ADADF78D285C340

Function 00007FF6B9C92500 Relevance: 11.4, APIs: 4, Strings: 2, Instructions: 917COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9C837C0: GetUserNameA.ADVAPI32 ref: 00007FF6B9C83822

_Mtx_unlock.LIBCPMT ref: 00007FF6B9C92617
rand.LIBCMT ref: 00007FF6B9C928E9
closesocket.WS2_32 ref: 00007FF6B9C92F9E

Part of subcall function 00007FF6B9C835B0: recv.WS2_32 ref: 00007FF6B9C8360A

closesocket.WS2_32 ref: 00007FF6B9C933CA

Strings

DRPL, xrefs: 00007FF6B9C92F80
REQL, xrefs: 00007FF6B9C93366

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: closesocket$Mtx_unlockNameUserrandrecv
String ID: DRPL$REQL
API String ID: 2035232360-3605393878
Opcode ID: 721fc08aca532f495d05d118156107921167988e477034a3580ef18a1549f98c
Instruction ID: 82f4d57df18d8238510062879d6f4ff631d4b4f152eb9de55d62716bd0e18155
Opcode Fuzzy Hash: 721fc08aca532f495d05d118156107921167988e477034a3580ef18a1549f98c
Instruction Fuzzy Hash: F6A27E22A08A8289FB10DF78D8583ED3771EB41398F805535EB5D97AEADF78D685C340

Function 00007FF6B9C9BE20 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 465COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF6B9C9C062
_time64.LIBCMT ref: 00007FF6B9C9C240
_time64.LIBCMT ref: 00007FF6B9C9C34A
_Mtx_unlock.LIBCPMT ref: 00007FF6B9C9C709

Strings

1.0.0, xrefs: 00007FF6B9C9BEEF, 00007FF6B9C9C084, 00007FF6B9C9C36C
t~, xrefs: 00007FF6B9C9C31F

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _time64$Mtx_unlock
String ID: 1.0.0$t~
API String ID: 1903240241-4207783639
Opcode ID: c360343a8360908138749ddabf9604666f8e131e62fd64f0da7eb135858dfb96
Instruction ID: ed9e9a84bff81b17901b84e75084ca847e75d19956b7cd0b474447009aa4e15b
Opcode Fuzzy Hash: c360343a8360908138749ddabf9604666f8e131e62fd64f0da7eb135858dfb96
Instruction Fuzzy Hash: B2324A3250CBC185E7719B28E4483EAB6B4EB953A4F504235D7DD86AEADF7CD588CB00

Function 00007FF6B9C9CB40 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 446COMMON

Download Yara Rule

APIs

_time64.LIBCMT ref: 00007FF6B9C9CBCD
_time64.LIBCMT ref: 00007FF6B9C9CE1D
_Mtx_unlock.LIBCPMT ref: 00007FF6B9C9D407

Strings

1.0.0, xrefs: 00007FF6B9C9CBEA, 00007FF6B9C9CE3F
content, xrefs: 00007FF6B9C9CEC8
@REMOTE, xrefs: 00007FF6B9C9D37E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _time64$Mtx_unlock
String ID: 1.0.0$@REMOTE$content
API String ID: 1903240241-4152950612
Opcode ID: 40e5f10e47ca47a6761a1aedc3e36bdca0f7d5396d43875c1889cb17a7612ab4
Instruction ID: 00377d78c896fe412818f56d61110297dc240543be74642726b20254af675c66
Opcode Fuzzy Hash: 40e5f10e47ca47a6761a1aedc3e36bdca0f7d5396d43875c1889cb17a7612ab4
Instruction Fuzzy Hash: 11324B3250CBC285E7729B28E4483EAB6B4FB953A4F504235D7AD96ADADF7CD144CB00

Function 00007FF6B9C88DD0 Relevance: 8.5, APIs: 3, Strings: 1, Instructions: 1485COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF6B9C8945F
_wcstoi64.LIBCMT ref: 00007FF6B9C8962C

Strings

2%i, xrefs: 00007FF6B9C89451

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _wcstoi64sprintf
String ID: 2%i
API String ID: 3955018481-70509047
Opcode ID: 5e23b37e2fdf3e6468c6f338f5f408d1b77b1317337c8013a83a54b6ab350443
Instruction ID: 14292722234301997401a3e7afeaad307f75a15096a09dfa2d80fa57dcbe741b
Opcode Fuzzy Hash: 5e23b37e2fdf3e6468c6f338f5f408d1b77b1317337c8013a83a54b6ab350443
Instruction Fuzzy Hash: 7FE20D22A5958699EB20EF68C8993FD2370FB91398F805531D74ED7AEEDF28D604C344

Function 00007FF6B9C8CB60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 1071COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 00007FF6B9C8D776

Strings

1%i, xrefs: 00007FF6B9C8D768
3194837251290356, xrefs: 00007FF6B9C8DA1A
7654321234567898, xrefs: 00007FF6B9C8DA06, 00007FF6B9C8DA2E, 00007FF6B9C8DA42, 00007FF6B9C8DA56, 00007FF6B9C8DA6A, 00007FF6B9C8DA7E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: sprintf
String ID: 1%i$3194837251290356$7654321234567898
API String ID: 590974362-2870800511
Opcode ID: 3398522d3731beca5f597bdad1c4eb6b5ef9381435dd5f48417ed061d0fb1c3a
Instruction ID: cba43a29488b9770e9b40fc106f38e44fbb68d73c9367dc1ac54d3b293aa5be0
Opcode Fuzzy Hash: 3398522d3731beca5f597bdad1c4eb6b5ef9381435dd5f48417ed061d0fb1c3a
Instruction Fuzzy Hash: EAC23D22609A8599EB24EF78D8983ED3770FB41348F805535DB4D9BAEADF38D648C350

Function 00007FF6B9C85F70 Relevance: 6.3, APIs: 4, Instructions: 327COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9C85190: SHGetFolderPathA.SHELL32 ref: 00007FF6B9C85250

_time64.LIBCMT ref: 00007FF6B9C863BA
_time64.LIBCMT ref: 00007FF6B9C86411
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C864B0
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FF6B9C86510

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Ios_base_dtor_time64std::ios_base::_$FolderPath
String ID:
API String ID: 1954716527-0
Opcode ID: af25f6fde421100cb7257152a915afc76279274dcf84ef90c747a9d93e43852d
Instruction ID: 0cb6634923efd137da43e91e6367350b69a0185b3fece599e93900d98586fd9e
Opcode Fuzzy Hash: af25f6fde421100cb7257152a915afc76279274dcf84ef90c747a9d93e43852d
Instruction Fuzzy Hash: F1F12922508AC689EB74DF38C8987ED3771EB41358F904135DB5D8AAEADF78D689C340

Function 00007FF6B9C85190 Relevance: 4.7, APIs: 3, Instructions: 191COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 00007FF6B9C85250
CreateDirectoryA.KERNEL32 ref: 00007FF6B9C85382
SetFileAttributesA.KERNEL32 ref: 00007FF6B9C8539C

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: AttributesCreateDirectoryFileFolderPath
String ID:
API String ID: 1991693529-0
Opcode ID: 82fd2451d5227bc0dcd1215ad816a73d7755197062dc978f56ad1395053a3863
Instruction ID: 658adb8997841a0b201ff026e8bfac5226d4f74790fc548f1c4ec5230fb92855
Opcode Fuzzy Hash: 82fd2451d5227bc0dcd1215ad816a73d7755197062dc978f56ad1395053a3863
Instruction Fuzzy Hash: 16919022A18A9185FB149F7CE4883AD3771FB417A4F501231EB6E97ADADFB8D485C700

Function 00007FF6B9C9F298 Relevance: 4.0, Strings: 3, Instructions: 296COMMON

Download Yara Rule

Strings

FILE*, xrefs: 00007FF6B9C9F53A
- Unknown, xrefs: 00007FF6B9C9F8DF
DATA*, xrefs: 00007FF6B9C9F551

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: - Unknown$DATA*$FILE*
API String ID: 0-115703852
Opcode ID: e223762f1597084f296bc8fb5f4f44bad34682083b4c48ff3c19dc1f3b42985c
Instruction ID: cd7ffd7e1949517707e987835d734487821eeff0a47e4c44b42862682fba4553
Opcode Fuzzy Hash: e223762f1597084f296bc8fb5f4f44bad34682083b4c48ff3c19dc1f3b42985c
Instruction Fuzzy Hash: A3E12C32A196C699EB31EF38C8593ED2371EB55788F805432D74D8BA9EDF68DA45C300

Function 00007FF6B9C835B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6B9C8360A

Part of subcall function 00007FF6B9CA8510: std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA859D

Strings

string too long, xrefs: 00007FF6B9C8370A, 00007FF6B9C83717

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Xbad_allocrecvstd::_
String ID: string too long
API String ID: 3140412268-2556327735
Opcode ID: c19a0434db2db8eb3a2300d5e2e1edb1f711a82605da510c40de306e8249432c
Instruction ID: 877f105c9b993a4525f20c5af507d786ff8b4bb6ec466353692c44ba47e0fc45
Opcode Fuzzy Hash: c19a0434db2db8eb3a2300d5e2e1edb1f711a82605da510c40de306e8249432c
Instruction Fuzzy Hash: 1141E122A09B4282EB199F2DD59C2796671FB44BA4F401631CF6D83BE5DF3CE101C740

Function 00007FF6B9CC3868 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B9CC38AB

Strings

csm, xrefs: 00007FF6B9CC386F

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: csm
API String ID: 3192549508-1018135373
Opcode ID: 2447300f6ec3465ead16d629e4ce46c99b562a325acde4c5e5da852cf9bc7048
Instruction ID: 4b3465b6ad8cf63118b94969facd80c6faebd62595c23a85861237490894cc5a
Opcode Fuzzy Hash: 2447300f6ec3465ead16d629e4ce46c99b562a325acde4c5e5da852cf9bc7048
Instruction Fuzzy Hash: DEE06D22F18106C7DA59AE2EA48D07C2BB1EB94704FA00432C30ED3291DF6CE992CB81

Function 00007FF6B9C947B0 Relevance: 3.0, Strings: 2, Instructions: 547COMMON

Download Yara Rule

Strings

1.0.0, xrefs: 00007FF6B9C94F01
string too long, xrefs: 00007FF6B9C94CCA, 00007FF6B9C94CD7, 00007FF6B9C94CF2, 00007FF6B9C94CFF

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: memchr
String ID: 1.0.0$string too long
API String ID: 3297308162-3307889991
Opcode ID: 33dfac10b30f5bac4d1ad7bc2cfdde2bb7764896482db54e0ee1ae35160bfca3
Instruction ID: 4627f51f962a9c1e3ccac1f1139c1e232236755f59494b54e9aaf6867ec2b4e4
Opcode Fuzzy Hash: 33dfac10b30f5bac4d1ad7bc2cfdde2bb7764896482db54e0ee1ae35160bfca3
Instruction Fuzzy Hash: AE42AD22A18BA189FB11CF69E4883AD77B1FB41788F500532EB5E97ADADF79D144C700

Function 00007FF6B9C94160 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

DRPL, xrefs: 00007FF6B9C943FD
REQL, xrefs: 00007FF6B9C94404

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: DRPL$REQL
API String ID: 0-3605393878
Opcode ID: c9a52c2b3fbd5138a98fb996f46619709b60f3b5713481f66d8d2fef14153de3
Instruction ID: 72815465725f81165655f035aa38da05db399416e4c1e8ba923ec28f11aa3820
Opcode Fuzzy Hash: c9a52c2b3fbd5138a98fb996f46619709b60f3b5713481f66d8d2fef14153de3
Instruction Fuzzy Hash: 3BE11622A18BD199E7619F78E8843ED37B5F70534CF404235DB8D5BA9ADF789288D340

Function 00007FF6B9C837C0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32 ref: 00007FF6B9C83822

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0f98686a4b8fcfee3e556cf16876fa0a5e50784ec64797073e31495439e65b8c
Instruction ID: 5a5274f33bf00b76743bd752efe153938f73334bd1876736e876d26a0e2e7416
Opcode Fuzzy Hash: 0f98686a4b8fcfee3e556cf16876fa0a5e50784ec64797073e31495439e65b8c
Instruction Fuzzy Hash: 1851AF22A18A9286FB10DF78E8883ED3770EB417A8F501235DB5E97AE9CF78D145C740

Function 00007FF6B9C91A00 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

27100, xrefs: 00007FF6B9C91B41

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: 27100
API String ID: 0-2886292763
Opcode ID: 6e4a6d859505b2f3c07ea4f32d8960a1d868a64456b9a277e269e8e1eb1d1e88
Instruction ID: f3ff52a083cf9469ac30082a0022eaf47aa53c18757498aad9394a4db63773fc
Opcode Fuzzy Hash: 6e4a6d859505b2f3c07ea4f32d8960a1d868a64456b9a277e269e8e1eb1d1e88
Instruction Fuzzy Hash: 32D1DF22B1965285FB10AF69E0597BD23B1EB017A8F409630DF2E97ADADF7CE145C340

Function 00007FF6B9CBCF9C Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,?,00007FF6B9CD42C7,?,?,00000140,00007FF6B9CD4997), ref: 00007FF6B9CBCFCD

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 987e55d109183da88758b5caddb6c4ece99c384733c83da0ac54fc19a894a36d
Instruction ID: fa0136591b418df34eceec446ca635de6fbeea4d8abf383784c6dce80e70b8fb
Opcode Fuzzy Hash: 987e55d109183da88758b5caddb6c4ece99c384733c83da0ac54fc19a894a36d
Instruction Fuzzy Hash: AAE0B662E59A2686EB458F9EE8853202270AB5A305F405271C70DC6775CF6CA1958300

Function 00007FF6B9C86590 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56002f7d27eb1eb39365d711a26b4f71e54e163b4668d0f80b23bc306ea981a8
Instruction ID: ad015363bf0b841af4e8986c8b9c825def1f6356c8c2d65412f4ed30bc2ba53c
Opcode Fuzzy Hash: 56002f7d27eb1eb39365d711a26b4f71e54e163b4668d0f80b23bc306ea981a8
Instruction Fuzzy Hash: 511292B7F3816057C35DCB29EC52F9A3692B7A4308749D428E706D2F08E63DFA159B44

Function 00007FF6B9C87360 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 61394798c055cc122092d47e7fc80b814d525bccadcad0948e68e49d4e1d6167
Instruction ID: 7577d76494d14a86cbcf46b814fb5e99bfddad6089d0151621f0a1bba257d4ab
Opcode Fuzzy Hash: 61394798c055cc122092d47e7fc80b814d525bccadcad0948e68e49d4e1d6167
Instruction Fuzzy Hash: F5A1DE22A28A9186E7189F78E8493ED67B1F784348F500539EF4D9BFEADF79D4408740

Function 00007FF6B9CCA504 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 88synchronizationCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00007FF6B9CCA535
_CxxThrowException.LIBCMT ref: 00007FF6B9CCA552
std::exception::exception.LIBCMT ref: 00007FF6B9CCA56E
_CxxThrowException.LIBCMT ref: 00007FF6B9CCA58B
_SpinWait.LIBCMT ref: 00007FF6B9CCA5ED
EnterCriticalSection.KERNEL32 ref: 00007FF6B9CCA632
LeaveCriticalSection.KERNEL32 ref: 00007FF6B9CCA642
SetEvent.KERNEL32 ref: 00007FF6B9CCA64B
WaitForSingleObject.KERNEL32 ref: 00007FF6B9CCA658
Concurrency::details::ResourceManager::~ResourceManager.LIBCMT ref: 00007FF6B9CCA661

Strings

pScheduler, xrefs: 00007FF6B9CCA51F
version, xrefs: 00007FF6B9CCA558

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: CriticalExceptionResourceSectionThrowWaitstd::exception::exception$Concurrency::details::EnterEventLeaveManagerManager::~ObjectSingleSpin
String ID: pScheduler$version
API String ID: 699445218-3154422776
Opcode ID: 37124c8201fcf94d47151efbafb6cda6ec09a0aeebdb7ffeb8d655e1df7dfb0a
Instruction ID: fd6b613ed1636a91489b8f1a42e33036ea9711b51e8032b3abb96c66f1b57f5e
Opcode Fuzzy Hash: 37124c8201fcf94d47151efbafb6cda6ec09a0aeebdb7ffeb8d655e1df7dfb0a
Instruction Fuzzy Hash: 7441BC32A08E5682EB10DF19E4981A833B4FF45394F504232E75DC3AA4DF3CE559CB80

Function 00007FF6B9C9A9CB Relevance: 17.9, APIs: 4, Strings: 6, Instructions: 377COMMON

Download Yara Rule

Strings

writing , xrefs: 00007FF6B9C9AEA0, 00007FF6B9C9B14F
new license data: trial license, xrefs: 00007FF6B9C9ACB4
(b, xrefs: 00007FF6B9C9AC73
Ub, xrefs: 00007FF6B9C9AC46
bytes to file , xrefs: 00007FF6B9C9AEC3, 00007FF6B9C9B187
content, xrefs: 00007FF6B9C9AA5D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID:
String ID: bytes to file $content$new license data: trial license$writing $(b$Ub
API String ID: 0-3042556935
Opcode ID: 9448679977c9af379fb54e091d718d9741fec6894d6337a3ccf21176fde89b46
Instruction ID: 13afb4317b42d9cf6dc621827df587352469713db19c3f5c672acf2a0c417e77
Opcode Fuzzy Hash: 9448679977c9af379fb54e091d718d9741fec6894d6337a3ccf21176fde89b46
Instruction Fuzzy Hash: AC123A6260CAC695EA319F28E4593EAB775FB81784F804135E78D87AABDF2CD544CB00

Function 00007FF6B9C81920 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00007FF6B9C81966

Part of subcall function 00007FF6B9CB87F8: RtlPcToFileHeader.KERNEL32 ref: 00007FF6B9CB8887
Part of subcall function 00007FF6B9CB87F8: RaiseException.KERNEL32 ref: 00007FF6B9CB88C6

std::exception::exception.LIBCMT ref: 00007FF6B9C819C3
_CxxThrowException.LIBCMT ref: 00007FF6B9C81A05
std::exception::exception.LIBCMT ref: 00007FF6B9C81A3C
_CxxThrowException.LIBCMT ref: 00007FF6B9C81A7E
std::exception::exception.LIBCMT ref: 00007FF6B9C81AB1
_CxxThrowException.LIBCMT ref: 00007FF6B9C81AF3

Strings

ios_base::eofbit set, xrefs: 00007FF6B9C81A8A
ios_base::badbit set, xrefs: 00007FF6B9C8199C
ios_base::failbit set, xrefs: 00007FF6B9C81A15

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Exception$Throw$std::exception::exception$FileHeaderRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4097400096-1866435925
Opcode ID: 20b84a5826d7b11eb14a7e140e936dd628b3824314bec0e49429d5af5ecbd604
Instruction ID: 4f29a169ecd71cde22443a641f4eac52727b7aa5f99f75505fea70325c438875
Opcode Fuzzy Hash: 20b84a5826d7b11eb14a7e140e936dd628b3824314bec0e49429d5af5ecbd604
Instruction Fuzzy Hash: 77513A32A09B05D9EB14DF68D8A43EC33B4EB0474CF805935EB0D96AA9DF79D219C340

Function 00007FF6B9CC606C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CC9043,?,?,?,?,00007FF6B9CC9779), ref: 00007FF6B9CC6083
malloc.LIBCMT ref: 00007FF6B9CC6090

Part of subcall function 00007FF6B9CB5C2C: _FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB5C5C
Part of subcall function 00007FF6B9CB5C2C: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CB5C66
Part of subcall function 00007FF6B9CB5C2C: HeapAlloc.KERNEL32(?,?,00000000,00007FF6B9CBAE48,?,?,?,00007FF6B9CB93C0,?,?,?,00007FF6B9CB92BF), ref: 00007FF6B9CB5C81
Part of subcall function 00007FF6B9CB5C2C: _callnewh.LIBCMT ref: 00007FF6B9CB5C9A
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CA5
Part of subcall function 00007FF6B9CB5C2C: _errno.LIBCMT ref: 00007FF6B9CB5CB0

Part of subcall function 00007FF6B9CBC2B0: SetLastError.KERNEL32(?,?,?,?,00007FF6B9CC6083,?,?,?,?,?,?,00000000,00007FF6B9CC9043), ref: 00007FF6B9CBC2D0

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CC9043,?,?,?,?,00007FF6B9CC9779), ref: 00007FF6B9CC60BA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CC60D3
_CxxThrowException.LIBCMT ref: 00007FF6B9CC60E4
_CxxThrowException.LIBCMT ref: 00007FF6B9CC6123
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CC9043,?,?,?,?,00007FF6B9CC9779), ref: 00007FF6B9CC6129
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CC6142
_CxxThrowException.LIBCMT ref: 00007FF6B9CC6153

Strings

bad allocation, xrefs: 00007FF6B9CC60EA

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ErrorLast$ExceptionThrow$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error_errno$AllocHeap_callnewhmalloc
String ID: bad allocation
API String ID: 1961218317-2104205924
Opcode ID: 0225e01ed3cd48f97f23321390d0bb6128aebccebbd389f9e5f25c7c7613fbfe
Instruction ID: 02131feb22920c5fedb2095a749e79c35d02305bb7981978c98c722963e31065
Opcode Fuzzy Hash: 0225e01ed3cd48f97f23321390d0bb6128aebccebbd389f9e5f25c7c7613fbfe
Instruction Fuzzy Hash: 36219222A0CA4B81EE14EF69E5591B963B1FF84388F808531E78DC769AEF3DE505C744

Function 00007FF6B9C92250 Relevance: 16.7, APIs: 11, Instructions: 171networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FF6B9C922F9
_Mtx_unlock.LIBCPMT ref: 00007FF6B9C9230A
_Mtx_unlock.LIBCPMT ref: 00007FF6B9C92323

Part of subcall function 00007FF6B9CB1054: Concurrency::critical_section::unlock.LIBCMT ref: 00007FF6B9CB106E

socket.WS2_32 ref: 00007FF6B9C92352
closesocket.WS2_32 ref: 00007FF6B9C9237D
socket.WS2_32 ref: 00007FF6B9C923A7
closesocket.WS2_32 ref: 00007FF6B9C923D2
inet_ntop.WS2_32 ref: 00007FF6B9C92404
freeaddrinfo.WS2_32 ref: 00007FF6B9C9240F
setsockopt.WS2_32 ref: 00007FF6B9C9243B
setsockopt.WS2_32 ref: 00007FF6B9C92464

Part of subcall function 00007FF6B9CB0368: std::_Throw_Cpp_error.LIBCPMT ref: 00007FF6B9CB0389
Part of subcall function 00007FF6B9CB0368: std::_Throw_Cpp_error.LIBCPMT ref: 00007FF6B9CB0391
Part of subcall function 00007FF6B9CB0368: std::_Throw_Cpp_error.LIBCPMT ref: 00007FF6B9CB039C

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Mtx_unlockclosesocketsetsockoptsocket$Concurrency::critical_section::unlockfreeaddrinfogetaddrinfoinet_ntop
String ID:
API String ID: 3148495818-0
Opcode ID: f604289629911277989480bb5d5973037388575b7524291c876a2ebb8b5018d2
Instruction ID: 0f58184395843bda640957c81586ac9373a7f43aff1748efce0d9a30eee0fe41
Opcode Fuzzy Hash: f604289629911277989480bb5d5973037388575b7524291c876a2ebb8b5018d2
Instruction Fuzzy Hash: 08813B32A08A4286EB20DF29E44836D77B1FB89B68F544235DB9E876D6DF3CE444C750

Function 00007FF6B9CE89FC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00007FF6B9CE8A4C
_CxxThrowException.LIBCMT ref: 00007FF6B9CE8A69
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCMT ref: 00007FF6B9CE8AD7
SignalObjectAndWait.KERNEL32 ref: 00007FF6B9CE8AF3
std::exception::exception.LIBCMT ref: 00007FF6B9CE8B2F
_CxxThrowException.LIBCMT ref: 00007FF6B9CE8B4C

Strings

switchState, xrefs: 00007FF6B9CE8A36
pContext, xrefs: 00007FF6B9CE8B19

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception$AffinitizeConcurrency::details::FreeObjectProcessorRoot::SignalVirtualWait
String ID: pContext$switchState
API String ID: 2521916644-2660820399
Opcode ID: a3473efad4469623265d71763c12b7fb0313d89ce7e337f260fd642833b2ecea
Instruction ID: 5eb32be8c990acb49c8dd0d8cd975a8346e01a1d1fad27588e56bf2d1afb1b01
Opcode Fuzzy Hash: a3473efad4469623265d71763c12b7fb0313d89ce7e337f260fd642833b2ecea
Instruction Fuzzy Hash: 16418E72A09F4A82EE20DF1AE14926973B0FB45B88F504131DB4E97B98DF3CE146C744

Function 00007FF6B9CDACA0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 00007FF6B9CDACB9

Part of subcall function 00007FF6B9CDC1D8: TlsGetValue.KERNEL32(?,?,?,00007FF6B9CDACBE), ref: 00007FF6B9CDC1EA

std::exception::exception.LIBCMT ref: 00007FF6B9CDACF9
_CxxThrowException.LIBCMT ref: 00007FF6B9CDAD16
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CDAD21
_CxxThrowException.LIBCMT ref: 00007FF6B9CDAD32
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CDAD3D
_CxxThrowException.LIBCMT ref: 00007FF6B9CDAD4E

Strings

pScheduler, xrefs: 00007FF6B9CDACE3

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrow$std::bad_exception::bad_exception$Concurrency::details::CurrentExecutionProxy::ResourceSchedulerThreadValuestd::exception::exception
String ID: pScheduler
API String ID: 2546527957-923244539
Opcode ID: 0a92d1236b80b8fdbef8a58dc719a057624d1992e7403410bef65b88da2779f8
Instruction ID: 4fccf0f6b29f25a81ba213927b4dbe2ce394ac1829ff5a8667ebcf7b6ac157cd
Opcode Fuzzy Hash: 0a92d1236b80b8fdbef8a58dc719a057624d1992e7403410bef65b88da2779f8
Instruction Fuzzy Hash: 90112E62A48A4792EE20EF09E4590A96374FF88788F904531E78D87675EF7CD605C740

Function 00007FF6B9CC248C Relevance: 13.6, APIs: 9, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B9CC24A5

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__lock_fhandle.LIBCMT ref: 00007FF6B9CC24ED
FlushFileBuffers.KERNEL32(?,?,?,00007FF6B9CB63DE,?,?,00000000,00007FF6B9CB64A0), ref: 00007FF6B9CC2508
GetLastError.KERNEL32(?,?,?,00007FF6B9CB63DE,?,?,00000000,00007FF6B9CB64A0), ref: 00007FF6B9CC2512
__doserrno.LIBCMT ref: 00007FF6B9CC2522
_errno.LIBCMT ref: 00007FF6B9CC2529
_unlock_fhandle.LIBCMT ref: 00007FF6B9CC2539

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 2927645455-0
Opcode ID: a89aaae0539ade81d037064eb86fb358608727817e567aabedb7f0df4bab6221
Instruction ID: 8a58605ec89d448a5e99d82572862cde998905d4794df0d7c6d9152157b6eaee
Opcode Fuzzy Hash: a89aaae0539ade81d037064eb86fb358608727817e567aabedb7f0df4bab6221
Instruction Fuzzy Hash: 8321A121F08A5645EA116F6DA99827E6A70AF81760F590138DB1EC73E2CF7CF8458354

Function 00007FF6B9C91EE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 00007FF6B9C91FC2
remove.LIBCMT ref: 00007FF6B9C92080
remove.LIBCMT ref: 00007FF6B9C920AD
remove.LIBCMT ref: 00007FF6B9C92104

Strings

.lic, xrefs: 00007FF6B9C92129
.plist, xrefs: 00007FF6B9C92122
aescripts\, xrefs: 00007FF6B9C9208B

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: remove$FolderPath
String ID: .lic$.plist$aescripts\
API String ID: 2070512967-1236034080
Opcode ID: 50eeefc3062eecd178c5cc6e2785b66720f537c8fa5d53ec275a4f874a5f38b1
Instruction ID: 473e998a4636295993aad01902c28d1ee00e3ad0bef5366a17f36a87d6f145e5
Opcode Fuzzy Hash: 50eeefc3062eecd178c5cc6e2785b66720f537c8fa5d53ec275a4f874a5f38b1
Instruction Fuzzy Hash: 6081522261CAC581EB10DF19E4593AAB771FB827A4F901231E7AD83AEACF7DD544C700

Function 00007FF6B9CE87C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00007FF6B9CE881D
_CxxThrowException.LIBCMT ref: 00007FF6B9CE883A
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CE8845
_CxxThrowException.LIBCMT ref: 00007FF6B9CE8856
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CE8861
_CxxThrowException.LIBCMT ref: 00007FF6B9CE8872

Strings

pContext, xrefs: 00007FF6B9CE8801

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrow$std::bad_exception::bad_exception$std::exception::exception
String ID: pContext
API String ID: 3610078031-2046700901
Opcode ID: 1a10e65e9c3be4f5ef1747115894c9c672c718e4b042ef2fd29cfcd7c0986a62
Instruction ID: 278ef574d40c3e01e8e8941937126669cf24e2357f0f800c0030365072e25f40
Opcode Fuzzy Hash: 1a10e65e9c3be4f5ef1747115894c9c672c718e4b042ef2fd29cfcd7c0986a62
Instruction Fuzzy Hash: 9711BF62A18A4B81EE10EF08E4691B96370FF84788F904431EB5EC76A5EF3CE149C744

Function 00007FF6B9CC1820 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 00007FF6B9CC1849

Part of subcall function 00007FF6B9CBAE18: malloc.LIBCMT ref: 00007FF6B9CBAE43
Part of subcall function 00007FF6B9CBAE18: Sleep.KERNEL32(?,?,?,00007FF6B9CB93C0,?,?,?,00007FF6B9CB92BF), ref: 00007FF6B9CBAE56

free.LIBCMT ref: 00007FF6B9CC194A
free.LIBCMT ref: 00007FF6B9CC1966

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: d538ba41b055fb1f9364d438104dd17988e7f216bec028accaf4dd629781d306
Instruction ID: b9e597990c7bf58fda6296d93ec7acae59e2ecde95371497f10066e2c7c3e501
Opcode Fuzzy Hash: d538ba41b055fb1f9364d438104dd17988e7f216bec028accaf4dd629781d306
Instruction Fuzzy Hash: 28619F22B09B4293EB119F1BE98526A77B0FB84B98F448135DF4D93B51DF3CE5668380

Function 00007FF6B9CD5F40 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 00007FF6B9CD5F6D

Part of subcall function 00007FF6B9CB9368: _FF_MSGBANNER.LIBCMT ref: 00007FF6B9CB9385
Part of subcall function 00007FF6B9CB9368: _NMSG_WRITE.LIBCMT ref: 00007FF6B9CB938F

_lock.LIBCMT ref: 00007FF6B9CD5F80
_lock.LIBCMT ref: 00007FF6B9CD5FDB
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00000109,80000000,00007FF6B9CD7179), ref: 00007FF6B9CD5FF0
EnterCriticalSection.KERNEL32(?,?,?,00000109,80000000,00007FF6B9CD7179), ref: 00007FF6B9CD600C
LeaveCriticalSection.KERNEL32(?,?,?,00000109,80000000,00007FF6B9CD7179), ref: 00007FF6B9CD601C
_calloc_crt.LIBCMT ref: 00007FF6B9CD6092
__lock_fhandle.LIBCMT ref: 00007FF6B9CD60FA

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 854778215-0
Opcode ID: 08545cbb6868adf57ace4d267df997acc697e57f35bf43482b42d38d8ee1e828
Instruction ID: 4a52e5b8aa8afd304836f7d0c813601f9494fc7b2abf7f5b3fd2478e6699664f
Opcode Fuzzy Hash: 08545cbb6868adf57ace4d267df997acc697e57f35bf43482b42d38d8ee1e828
Instruction Fuzzy Hash: EF51BB22A98B8582EB208F28D948239B7B5FF84B98F554535DB4D877E9CF3CE841C705

Function 00007FF6B9CC7370 Relevance: 12.0, APIs: 8, Instructions: 44threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCMT ref: 00007FF6B9CC7395

Part of subcall function 00007FF6B9CC6488: CreateThread.KERNEL32 ref: 00007FF6B9CC64A0
Part of subcall function 00007FF6B9CC6488: Concurrency::details::ReferenceLoadLibrary.LIBCMT ref: 00007FF6B9CC64C2

SetThreadPriority.KERNEL32 ref: 00007FF6B9CC73AB
GetLastError.KERNEL32 ref: 00007FF6B9CC73BB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CC73D4
_CxxThrowException.LIBCMT ref: 00007FF6B9CC73E5
GetLastError.KERNEL32 ref: 00007FF6B9CC73EB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CC7404
_CxxThrowException.LIBCMT ref: 00007FF6B9CC7415

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Thread$Concurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionLastLibraryLoadThrow$PriorityReference
String ID:
API String ID: 2237552173-0
Opcode ID: 0cb42799f0be884d7e1ea55998eca801c8cc529737faef5f85796a878d6bb837
Instruction ID: dd1abe19acc753f77c0dfb3945933b7325ee24b41eec754c654ab1248ca5b11f
Opcode Fuzzy Hash: 0cb42799f0be884d7e1ea55998eca801c8cc529737faef5f85796a878d6bb837
Instruction Fuzzy Hash: C911A121A18A4782FB00EF29E9183BA22B1FF88744F544531E74DC6699EF3CE509C794

Function 00007FF6B9CD7720 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD774B
_errno.LIBCMT ref: 00007FF6B9CD7740

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

_errno.LIBCMT ref: 00007FF6B9CD77EE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD77F9

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: d285b2bbadf80e2166a45276edc87aa0736bfca5b4ec6619b3545f8714ce3ff0
Instruction ID: a790603ec90553fe8889a48aad481c043719416a7a97377929072486078f52cb
Opcode Fuzzy Hash: d285b2bbadf80e2166a45276edc87aa0736bfca5b4ec6619b3545f8714ce3ff0
Instruction Fuzzy Hash: 2A4117B2E8829382FA645F1995581B972F0EF40795FA44135DBAD977E5DF3CE940C300

Function 00007FF6B9CD125C Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD1282
_errno.LIBCMT ref: 00007FF6B9CD1277

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CD1301
_errno.LIBCMT ref: 00007FF6B9CD1312
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CD131D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 0899df62475010d5ee482fa7f7096b6a796be90366d2c6e758e3543dec0c843c
Instruction ID: bc9408115807a89090158c4782a9ea024de095a106906226d89cf559cf054089
Opcode Fuzzy Hash: 0899df62475010d5ee482fa7f7096b6a796be90366d2c6e758e3543dec0c843c
Instruction Fuzzy Hash: 1D413772E9C2A281EB686F1991491BD33F0EF44BA5F848135E78887BC5DF2CE9418700

Function 00007FF6B9CACAD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACAF1

Part of subcall function 00007FF6B9CB07BC: _lock.LIBCMT ref: 00007FF6B9CB07CE

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACB16
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CACBB1
_CxxThrowException.LIBCMT ref: 00007FF6B9CACBC2
std::_Facet_Register.LIBCPMT ref: 00007FF6B9CACBE0

Strings

bad cast, xrefs: 00007FF6B9CACBA5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: cf94a65d29a58edc82353b24941c8619b48cca9a216b557fe6a530e4c3d837b9
Instruction ID: f3354af05a838e7847b37ab9f770ef1a3f96917c42f3bc02ae35cb2dcc9b04bb
Opcode Fuzzy Hash: cf94a65d29a58edc82353b24941c8619b48cca9a216b557fe6a530e4c3d837b9
Instruction Fuzzy Hash: F0317E22A0CA1681EA10DF1EF4480B973B1EB95BA4F444232DB5D836FADF3CE442C704

Function 00007FF6B9CAC990 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CAC9B1

Part of subcall function 00007FF6B9CB07BC: _lock.LIBCMT ref: 00007FF6B9CB07CE

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CAC9D6
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CACA71
_CxxThrowException.LIBCMT ref: 00007FF6B9CACA82
std::_Facet_Register.LIBCPMT ref: 00007FF6B9CACAA0

Strings

bad cast, xrefs: 00007FF6B9CACA65

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 0cb3c862abbe387d89923255385b267e96230e7d8c8512852b1ed9874cb265e9
Instruction ID: baa0e2b3b17c1e4b0b2532defc70fc2c76a1348da1e52eb94c59802df2ce560a
Opcode Fuzzy Hash: 0cb3c862abbe387d89923255385b267e96230e7d8c8512852b1ed9874cb265e9
Instruction Fuzzy Hash: 2C316F22A48A1681EA11DF1EE4481B97371FB95BA4F444335DB6D836FADF3CE942C704

Function 00007FF6B9CACC10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACC31

Part of subcall function 00007FF6B9CB07BC: _lock.LIBCMT ref: 00007FF6B9CB07CE

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACC56
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CACCF1
_CxxThrowException.LIBCMT ref: 00007FF6B9CACD02
std::_Facet_Register.LIBCPMT ref: 00007FF6B9CACD20

Strings

bad cast, xrefs: 00007FF6B9CACCE5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 8a5555141b173215c6208a9c8aeb2d79524cb6a645284a8cc6ebc8768d1bb076
Instruction ID: 917cee3fe0f1c8927271131e0a512b2347fcb4c143c8c1f62428263f68597167
Opcode Fuzzy Hash: 8a5555141b173215c6208a9c8aeb2d79524cb6a645284a8cc6ebc8768d1bb076
Instruction Fuzzy Hash: B731A022A0DB1681EA10DF2EE4480B96770EF95BA4F580231DB5D836FADF3CE542C700

Function 00007FF6B9CACD50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACD71

Part of subcall function 00007FF6B9CB07BC: _lock.LIBCMT ref: 00007FF6B9CB07CE

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CACD96
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CACE31
_CxxThrowException.LIBCMT ref: 00007FF6B9CACE42
std::_Facet_Register.LIBCPMT ref: 00007FF6B9CACE60

Strings

bad cast, xrefs: 00007FF6B9CACE25

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: b620016426c3c4f85725f080e70a896ebae7bd1f02c87cd46daec41abacdc0d6
Instruction ID: 55b7d68590d9bf95264da6bec2db1419b1fc267d9c306d141af627546c9d043b
Opcode Fuzzy Hash: b620016426c3c4f85725f080e70a896ebae7bd1f02c87cd46daec41abacdc0d6
Instruction Fuzzy Hash: 05315C22A48A5281FA51DF1EE8481B967B1FB95BA4F544232DB5DC36FADF3CE442C700

Function 00007FF6B9CABD00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CABD21

Part of subcall function 00007FF6B9CB07BC: _lock.LIBCMT ref: 00007FF6B9CB07CE

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6B9CABD46
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CABDE1
_CxxThrowException.LIBCMT ref: 00007FF6B9CABDF2
std::_Facet_Register.LIBCPMT ref: 00007FF6B9CABE10

Strings

bad cast, xrefs: 00007FF6B9CABDD5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: aa154f2c991e8ed59acf2e90d9ba5e8cd8cb48189b39342ab2e944e951774971
Instruction ID: c4440049e6a1761a754115075aac891503b0d819aba473f6b7e540d4b8f89fbd
Opcode Fuzzy Hash: aa154f2c991e8ed59acf2e90d9ba5e8cd8cb48189b39342ab2e944e951774971
Instruction Fuzzy Hash: BF317A22A08A5282FA50DF2EE4881B96371FF95BA4F544232DB5D836EDDF3CE442C700

Function 00007FF6B9CC3574 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CC35A8

Part of subcall function 00007FF6B9CB5D80: _getptd.LIBCMT ref: 00007FF6B9CB5D96
Part of subcall function 00007FF6B9CB5D80: __updatetlocinfo.LIBCMT ref: 00007FF6B9CB5DCB
Part of subcall function 00007FF6B9CB5D80: __updatetmbcinfo.LIBCMT ref: 00007FF6B9CB5DF2

_errno.LIBCMT ref: 00007FF6B9CC35C3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CC35CE

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 0feb9feecc3329452ea8ec885c6d8bb3b47baf9b3ae0000ffeb1a2f89b7271b5
Instruction ID: 7b7e893edf3cba011cc9e441b01950cbcdbbd58040c06ec7006b3bf298113de4
Opcode Fuzzy Hash: 0feb9feecc3329452ea8ec885c6d8bb3b47baf9b3ae0000ffeb1a2f89b7271b5
Instruction Fuzzy Hash: DA317F72A0C7458AE7219F19E58866DBAB4FB58BE0F544131EB5D83BD5CF38E8418780

Function 00007FF6B9CE82F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCMT ref: 00007FF6B9CE8316

Part of subcall function 00007FF6B9CDBECC: SetEvent.KERNEL32(?,?,?,00007FF6B9CDAB67,?,?,?,00007FF6B9CCA891), ref: 00007FF6B9CDBF21

std::exception::exception.LIBCMT ref: 00007FF6B9CE8342
_CxxThrowException.LIBCMT ref: 00007FF6B9CE835F
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CE836A
_CxxThrowException.LIBCMT ref: 00007FF6B9CE837B

Strings

pScheduler, xrefs: 00007FF6B9CE832C

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrow$Concurrency::details::CoreDecrementEventProxy::SchedulerSubscriptionstd::bad_exception::bad_exceptionstd::exception::exception
String ID: pScheduler
API String ID: 627769529-923244539
Opcode ID: 4a65618706d70c55c2da5df99ba9c83219bbdc0a02742f42fd5244051ed5d83f
Instruction ID: 923f1e5fe1cc27ae58c540b94a50bed271e0f02369cdb0bd19624ee79b5fcad0
Opcode Fuzzy Hash: 4a65618706d70c55c2da5df99ba9c83219bbdc0a02742f42fd5244051ed5d83f
Instruction Fuzzy Hash: 48016172A18A0B81EE14DF18E0591A87371FF84B88F901531EB4D8B6A5DF3CE14AC744

Function 00007FF6B9CBA330 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6B9CBA351
_getptd.LIBCMT ref: 00007FF6B9CBA35F
_getptd.LIBCMT ref: 00007FF6B9CBA371

Strings

MOC, xrefs: 00007FF6B9CBA33F
RCC, xrefs: 00007FF6B9CBA337
csm, xrefs: 00007FF6B9CBA347

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 9cd19f3f06bc7988da1e9b1409e20964e5baf2f5a54db59486cd1313f4ff8454
Instruction ID: 595dd3beadca6964345b2c177c8c2b09bd839b042ccd39813f60dfba2f9b8431
Opcode Fuzzy Hash: 9cd19f3f06bc7988da1e9b1409e20964e5baf2f5a54db59486cd1313f4ff8454
Instruction Fuzzy Hash: 06F0A235D0814AC5EA556F5D805D3B835F0EF58715F569471C34C86392CF7CA8848A96

Function 00007FF6B9CC8D64 Relevance: 9.1, APIs: 6, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::Version.LIBCMT ref: 00007FF6B9CC8D79

Part of subcall function 00007FF6B9CCB508: _SpinWait.LIBCMT ref: 00007FF6B9CCB550
Part of subcall function 00007FF6B9CCB508: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCMT ref: 00007FF6B9CCB56E

Concurrency::details::UMS::CreateUmsCompletionList.LIBCMT ref: 00007FF6B9CC8D88
Concurrency::details::ResourceManager::Version.LIBCMT ref: 00007FF6B9CC8DF6
Concurrency::details::ResourceManager::Version.LIBCMT ref: 00007FF6B9CC8E00
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CC8E90
_CxxThrowException.LIBCMT ref: 00007FF6B9CC8EA1

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Concurrency::details::$Manager::ResourceVersion$CompletionCreateExceptionInformationListRetrieveSpinSystemThrowWaitstd::bad_exception::bad_exception
String ID:
API String ID: 1876357193-0
Opcode ID: 04b2fa28b64b16b95eb29dc48d225d5f6a05fa65057bac5eed109b2516558bb8
Instruction ID: 46c71cc537c8eaf87ad404e093569b962cc45525ec588bab7755ccda6cb969f7
Opcode Fuzzy Hash: 04b2fa28b64b16b95eb29dc48d225d5f6a05fa65057bac5eed109b2516558bb8
Instruction Fuzzy Hash: F6318076A0C29353FB685F2DD40827A6BB1FF80780F584539E74ED6696CF2CE8518784

Function 00007FF6B9C84770 Relevance: 9.1, APIs: 6, Instructions: 71networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FF6B9C847DD
connect.WS2_32 ref: 00007FF6B9C847EC
WSAGetLastError.WS2_32 ref: 00007FF6B9C847F7
select.WS2_32 ref: 00007FF6B9C8482D
__WSAFDIsSet.WS2_32 ref: 00007FF6B9C84840
ioctlsocket.WS2_32 ref: 00007FF6B9C8485F

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ioctlsocket$ErrorLastconnectselect
String ID:
API String ID: 3923486878-0
Opcode ID: 03cf7c826b59199f0458c21940543876197c5f873f210f816771850b6b73a7d2
Instruction ID: 573dfd5f6c5ce4959dc9eb72a0d8e89eb4b30ec0ed705d15e37b6bea4fa55d64
Opcode Fuzzy Hash: 03cf7c826b59199f0458c21940543876197c5f873f210f816771850b6b73a7d2
Instruction Fuzzy Hash: 7B21D722A18A8147E3548F29B84C769B771EBC9799F445231EA4EC2AE4DF3CD509CB00

Function 00007FF6B9CAD810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

localeconv.LIBCMT ref: 00007FF6B9CAD837

Part of subcall function 00007FF6B9CB6AA4: _getptd.LIBCMT ref: 00007FF6B9CB6AA8
Part of subcall function 00007FF6B9CB6AA4: __updatetlocinfo.LIBCMT ref: 00007FF6B9CB6ACB

_Getcvt.LIBCPMT ref: 00007FF6B9CAD844

Part of subcall function 00007FF6B9CAFDE0: ___lc_codepage_func.LIBCMT ref: 00007FF6B9CAFE04
Part of subcall function 00007FF6B9CAFDE0: ___mb_cur_max_func.LIBCMT ref: 00007FF6B9CAFE0B
Part of subcall function 00007FF6B9CAFDE0: ___lc_locale_name_func.LIBCMT ref: 00007FF6B9CAFE13

_Getcvt.LIBCPMT ref: 00007FF6B9CAD86C

Strings

false, xrefs: 00007FF6B9CAD8B3
true, xrefs: 00007FF6B9CAD8E3

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Getcvt$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__updatetlocinfo_getptdlocaleconv
String ID: false$true
API String ID: 379465546-2658103896
Opcode ID: 73d06d7626cf9a4e34ff0ac674d40b771966c80e8ed58987b3a410164db86684
Instruction ID: 69343a70aa2830c18adc6673fd803431e60c1ef7c97db45d89a9857bbebab278
Opcode Fuzzy Hash: 73d06d7626cf9a4e34ff0ac674d40b771966c80e8ed58987b3a410164db86684
Instruction Fuzzy Hash: 0331C222A09B8582DB228F25E44826A77B1FB55BE0B084275DBAD473D9DF3CE155C350

Function 00007FF6B9CBA233 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF6B9CBA287
_getptd.LIBCMT ref: 00007FF6B9CBA23B

Part of subcall function 00007FF6B9CC07B0: _getptd_noexit.LIBCMT ref: 00007FF6B9CC07B6

_getptd.LIBCMT ref: 00007FF6B9CBA2ED
_getptd.LIBCMT ref: 00007FF6B9CBA2F9

Strings

csm, xrefs: 00007FF6B9CBA2BB

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd$ExceptionRaise_getptd_noexit
String ID: csm
API String ID: 1742125525-1018135373
Opcode ID: 07e646bd3f459ca950e7042a5cd6759f866d2739a47ac95533c609a32ddd3d48
Instruction ID: cfc473971d072ff4201cfdefe84a2f56439aa5fe249c17fdfb8a0082107217fa
Opcode Fuzzy Hash: 07e646bd3f459ca950e7042a5cd6759f866d2739a47ac95533c609a32ddd3d48
Instruction Fuzzy Hash: A221293660864686E630DF19E04426E77B0FB85BA5F014232DF9E43796CF3DE485CB45

Function 00007FF6B9CD6334 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CD6396
_isleadbyte_l.LIBCMT ref: 00007FF6B9CD63C6
MultiByteToWideChar.KERNEL32 ref: 00007FF6B9CD6405
MultiByteToWideChar.KERNEL32 ref: 00007FF6B9CD6453
_errno.LIBCMT ref: 00007FF6B9CD645D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 5297c7b9408e9efefd71701747c1766c4c13969b4c72a5129c678fb0fd4e6d0e
Instruction ID: d1746f2d99a84d19bd642a091ec5d317343e9194720e914de7785ff25b12f592
Opcode Fuzzy Hash: 5297c7b9408e9efefd71701747c1766c4c13969b4c72a5129c678fb0fd4e6d0e
Instruction Fuzzy Hash: 38418E32A8878286EB60CF19A244279BAB1FF44B94F188135EB8D97B95DF3CD851C700

Function 00007FF6B9CD86D8 Relevance: 7.5, APIs: 5, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ScheduleGroupSegmentBase::GetDetachedWorkQueue.LIBCMT ref: 00007FF6B9CD86F3

Part of subcall function 00007FF6B9CE2508: ListArray.LIBCMT ref: 00007FF6B9CE2598

InterlockedPopEntrySList.KERNEL32 ref: 00007FF6B9CD870E
Concurrency::details::WorkQueue::WorkQueue.LIBCMT ref: 00007FF6B9CD873F
Concurrency::details::WorkQueue::Reinitialize.LIBCMT ref: 00007FF6B9CD874D

Part of subcall function 00007FF6B9CE6AA8: Concurrency::details::_CriticalNonReentrantLock::_Acquire.LIBCMT ref: 00007FF6B9CE6ABF

ListArray.LIBCMT ref: 00007FF6B9CD8761

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Work$Concurrency::details::List$ArrayQueueQueue::$AcquireBase::Concurrency::details::_CriticalDetachedEntryGroupInterlockedLock::_ReentrantReinitializeScheduleSegment
String ID:
API String ID: 935885060-0
Opcode ID: 9421269130d03d1d2ad055145f5cb457a119ac990fcf1a517f77fa8765db3d48
Instruction ID: ddfd9ca24aeffaf8fcf3f325ece76f064baf820dbcee0956fb011fe8dcf0f99e
Opcode Fuzzy Hash: 9421269130d03d1d2ad055145f5cb457a119ac990fcf1a517f77fa8765db3d48
Instruction Fuzzy Hash: 49115E21A59B4182EF54DF1CE42433822B0FF85B94F544238DB5D877D9EF39E0008304

Function 00007FF6B9C812F0 Relevance: 7.5, APIs: 6, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6B9CB0230: setlocale.LIBCMT ref: 00007FF6B9CB023F

free.LIBCMT ref: 00007FF6B9C8130B

Part of subcall function 00007FF6B9CB5A10: RtlFreeHeap.NTDLL(?,?,?,00007FF6B9CB4EA0,?,?,?,00007FF6B9C81214), ref: 00007FF6B9CB5A26
Part of subcall function 00007FF6B9CB5A10: _errno.LIBCMT ref: 00007FF6B9CB5A30
Part of subcall function 00007FF6B9CB5A10: GetLastError.KERNEL32(?,?,?,00007FF6B9CB4EA0,?,?,?,00007FF6B9C81214), ref: 00007FF6B9CB5A38

free.LIBCMT ref: 00007FF6B9C8131F
free.LIBCMT ref: 00007FF6B9C81331
free.LIBCMT ref: 00007FF6B9C81343
free.LIBCMT ref: 00007FF6B9C81355
free.LIBCMT ref: 00007FF6B9C81367

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errnosetlocale
String ID:
API String ID: 3944588114-0
Opcode ID: a129dca775d2206b801279d9bcf3f6d9b083367e658b8ec053318e3da434a495
Instruction ID: 477164f09c04fb8527da2784a28d66f652158d0f57c8bdd67d17293ba8a21b78
Opcode Fuzzy Hash: a129dca775d2206b801279d9bcf3f6d9b083367e658b8ec053318e3da434a495
Instruction Fuzzy Hash: 8A016121A0664184EF5DDF6990D627973F4EF94F84B185435D70EA7A86CF28DD90C380

Function 00007FF6B9CD61E4 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B9CD61F5

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

__doserrno.LIBCMT ref: 00007FF6B9CD61ED

Part of subcall function 00007FF6B9CB6658: _getptd_noexit.LIBCMT ref: 00007FF6B9CB665C

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 0927e6ef729c9e596bf91f2aacf5c84096a56864d4d06e221d04a04a90b24eca
Instruction ID: 5a127fc5d31d8f403eeb9f31c2ef3bf4d3c8c0e8d1f4c49c02e727a16a4c117c
Opcode Fuzzy Hash: 0927e6ef729c9e596bf91f2aacf5c84096a56864d4d06e221d04a04a90b24eca
Instruction Fuzzy Hash: 2901ADB2E8AA5A44EE181F1CCA8937C35705F92B35F904338C72D823E2CF3C64008210

Function 00007FF6B9CCC600 Relevance: 7.5, APIs: 5, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Acquire.LIBCMT ref: 00007FF6B9CCC61C

Part of subcall function 00007FF6B9CC66D0: _SpinWait.LIBCMT ref: 00007FF6B9CC66FF

Concurrency::details::SchedulerBase::UpdatePendingVersion.LIBCMT ref: 00007FF6B9CCC624

Part of subcall function 00007FF6B9CCFE00: Concurrency::details::SchedulerBase::ComputeSafePointCommitVersion.LIBCMT ref: 00007FF6B9CCFE09

Concurrency::details::SchedulerBase::CommitToVersion.LIBCMT ref: 00007FF6B9CCC630
Concurrency::details::_CriticalNonReentrantLock::_Acquire.LIBCMT ref: 00007FF6B9CCC638
Concurrency::details::SchedulerBase::UpdateCommitVersion.LIBCMT ref: 00007FF6B9CCC642

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Base::Concurrency::details::SchedulerVersion$Commit$AcquireConcurrency::details::_CriticalLock::_ReentrantUpdate$ComputePendingPointSafeSpinWait
String ID:
API String ID: 4127798528-0
Opcode ID: b752e140cde508a889828605ea4a5ff6bff43a6522ddf288ae4795b530531b87
Instruction ID: 524a5425df8fe1ef01a717886d3786316b77a939af39b5df086e6c35e2f505f3
Opcode Fuzzy Hash: b752e140cde508a889828605ea4a5ff6bff43a6522ddf288ae4795b530531b87
Instruction Fuzzy Hash: 48F09A21E4825241E914AF2AA3490B95A309F98BC0F142031FB4A8BB47CF2CD44283C0

Function 00007FF6B9CB8CA0 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6B9CB8CAD

Part of subcall function 00007FF6B9CC07B0: _getptd_noexit.LIBCMT ref: 00007FF6B9CC07B6

_inconsistency.LIBCMT ref: 00007FF6B9CB8CBB

Part of subcall function 00007FF6B9CBEAEC: DecodePointer.KERNEL32(?,?,?,?,00007FF6B9CC431D,?,?,?,00007FF6B9CB8906), ref: 00007FF6B9CBEAF7

_getptd.LIBCMT ref: 00007FF6B9CB8CC0
_inconsistency.LIBCMT ref: 00007FF6B9CB8CDC
_getptd.LIBCMT ref: 00007FF6B9CB8CEC

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
String ID:
API String ID: 3566995948-0
Opcode ID: db5a918070a374afb43049a900a9a587905e0fb94cbe37e2d6d5f365a64d4e94
Instruction ID: 8146bd09db297b7318cfe0f061656ed77c44ae43197367cf0aa1a6ec23a60dc8
Opcode Fuzzy Hash: db5a918070a374afb43049a900a9a587905e0fb94cbe37e2d6d5f365a64d4e94
Instruction Fuzzy Hash: F6F01262A0968680EA95AF6DD04D1BD7A74BF4CB80F1C4131E74D87387DF2CE49087D8

Function 00007FF6B9C9AFC1 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B9C9B009

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

Part of subcall function 00007FF6B9C91EE0: SHGetFolderPathA.SHELL32 ref: 00007FF6B9C91FC2
Part of subcall function 00007FF6B9C91EE0: remove.LIBCMT ref: 00007FF6B9C92080
Part of subcall function 00007FF6B9C91EE0: remove.LIBCMT ref: 00007FF6B9C920AD

_errno.LIBCMT ref: 00007FF6B9C9B0BA

Strings

writing , xrefs: 00007FF6B9C9B14F
bytes to file , xrefs: 00007FF6B9C9B187

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _errnoremove$FolderPath_getptd_noexit
String ID: bytes to file $writing
API String ID: 1059067161-3905530474
Opcode ID: a258a0d2fb234b067224a0abd3bd05381ec48211be329789dcb5eb39b8ade8e1
Instruction ID: a9700fe59b0bdaec251f17135f7ed5dae0aaf4a71527f3e11c0e4e4000e8ddf4
Opcode Fuzzy Hash: a258a0d2fb234b067224a0abd3bd05381ec48211be329789dcb5eb39b8ade8e1
Instruction Fuzzy Hash: DA614B62A4D6C651EA21EF28E4593EE6371EB91784F805431D78EC36AFDF2CE508C704

Function 00007FF6B9CA6360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA8B39

Part of subcall function 00007FF6B9CB06BC: _CxxThrowException.LIBCMT ref: 00007FF6B9CB06F9

Strings

gfffffff, xrefs: 00007FF6B9CA6372
vector<T> too long, xrefs: 00007FF6B9CA6427
gfffffff, xrefs: 00007FF6B9CA8AD9

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrowXbad_allocstd::_
String ID: gfffffff$gfffffff$vector<T> too long
API String ID: 944563697-3862842194
Opcode ID: f90385889ea05b3f7392f4bf7350b9480659d1bf8b8a68eb028385fe443dc1ed
Instruction ID: 4c32b03fbd76e41d341e83f6a731a34169a6b972e213b2c5d45e0f7d4f3a3c0b
Opcode Fuzzy Hash: f90385889ea05b3f7392f4bf7350b9480659d1bf8b8a68eb028385fe443dc1ed
Instruction Fuzzy Hash: 623193A2F09B6E42ED04CF5FB959064A372AB457C0B508536CF0DCB799EF3CE1418206

Function 00007FF6B9CB5CE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_getptd_noexit.LIBCMT ref: 00007FF6B9CB5CF0

Part of subcall function 00007FF6B9CC07D4: GetLastError.KERNEL32(?,?,?,00007FF6B9CB66D1,?,?,?,?,00007FF6B9CB5A35,?,?,?,00007FF6B9CB4EA0), ref: 00007FF6B9CC07DE
Part of subcall function 00007FF6B9CC07D4: _calloc_crt.LIBCMT ref: 00007FF6B9CC0801
Part of subcall function 00007FF6B9CC07D4: _initptd.LIBCMT ref: 00007FF6B9CC0825
Part of subcall function 00007FF6B9CC07D4: GetCurrentThreadId.KERNEL32 ref: 00007FF6B9CC082A
Part of subcall function 00007FF6B9CC07D4: SetLastError.KERNEL32(?,?,?,00007FF6B9CB66D1,?,?,?,?,00007FF6B9CB5A35,?,?,?,00007FF6B9CB4EA0), ref: 00007FF6B9CC0842

_calloc_crt.LIBCMT ref: 00007FF6B9CB5D20
_invoke_watson.LIBCMT ref: 00007FF6B9CB5D78

Part of subcall function 00007FF6B9CBD360: _call_reportfault.LIBCMT ref: 00007FF6B9CBD388

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 00007FF6B9CB5CFD

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ErrorLast_calloc_crt$CurrentThread_call_reportfault_getptd_noexit_initptd_invoke_watson
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 835963739-798102604
Opcode ID: e458e596050656dde5d0d4c743bcf5eb15964c97def0755c343391bd7b1bd0b9
Instruction ID: aef561e946007c76fed70822c1c9774d050996b6441ed513259fa34f64cb6915
Opcode Fuzzy Hash: e458e596050656dde5d0d4c743bcf5eb15964c97def0755c343391bd7b1bd0b9
Instruction Fuzzy Hash: BA11AD22A1878A42FBA4AF28D15D3BD32B1AF85B44F595534DB0D8B786EF3DF8418340

Function 00007FF6B9CE45A4 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FF6B9CE45C8

Part of subcall function 00007FF6B9CB5D80: _getptd.LIBCMT ref: 00007FF6B9CB5D96
Part of subcall function 00007FF6B9CB5D80: __updatetlocinfo.LIBCMT ref: 00007FF6B9CB5DCB
Part of subcall function 00007FF6B9CB5D80: __updatetmbcinfo.LIBCMT ref: 00007FF6B9CB5DF2

_errno.LIBCMT ref: 00007FF6B9CE45D4

Part of subcall function 00007FF6B9CB66C8: _getptd_noexit.LIBCMT ref: 00007FF6B9CB66CC

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6B9CE45DF
strchr.LIBCMT ref: 00007FF6B9CE45F5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 36c0bb8c8628e5e199e1d459f3f3e4ff65f57ebdba7ca7f1b266bdbb24a60703
Instruction ID: 0f25d7b2cc6021c27046713b0a511e382b5c0b0894a06193fa63ddb0db85cb02
Opcode Fuzzy Hash: 36c0bb8c8628e5e199e1d459f3f3e4ff65f57ebdba7ca7f1b266bdbb24a60703
Instruction Fuzzy Hash: FE21C362A2DAE641EB615F1A905A17DB6F1EB80BD4F184131EB9F87AC5CF2CF8418710

Function 00007FF6B9CCC20C Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9CCCA80: TlsGetValue.KERNEL32(?,?,?,?,00007FF6B9CCC21A), ref: 00007FF6B9CCCA8A

Concurrency::details::SchedulerBase::AttachExternalContext.LIBCMT ref: 00007FF6B9CCC224

Part of subcall function 00007FF6B9CCC274: TlsGetValue.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CCC8F8,?,?,?,00007FF6B9CBB153), ref: 00007FF6B9CCC28F
Part of subcall function 00007FF6B9CCC274: Concurrency::details::InternalContextBase::LeaveScheduler.LIBCMT ref: 00007FF6B9CCC2B0
Part of subcall function 00007FF6B9CCC274: Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00007FF6B9CCC2D3

Concurrency::details::SchedulerBase::ThrowSchedulerEvent.LIBCMT ref: 00007FF6B9CCC24B

Part of subcall function 00007FF6B9CCFC84: Concurrency::details::Etw::Trace.LIBCMT ref: 00007FF6B9CCFCF5

std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CCC25B
_CxxThrowException.LIBCMT ref: 00007FF6B9CCC26C

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Concurrency::details::Scheduler$Base::$Context$ExternalThrowValue$AttachEtw::EventExceptionInternalLeaveTracestd::bad_exception::bad_exception
String ID:
API String ID: 3337661974-0
Opcode ID: a8ffa42869d0cca481dc8e7d30508a6de5a9f9c283b2c504f4a04659c1eefe2b
Instruction ID: e135c3e55d394cca8c17d6af1ee012c9ff3c8fab36407518a023dcde2cff8f5c
Opcode Fuzzy Hash: a8ffa42869d0cca481dc8e7d30508a6de5a9f9c283b2c504f4a04659c1eefe2b
Instruction Fuzzy Hash: 92F09A62A4865742ED20AFADD8591B51B30AF8A348F080830DB5ECB7A3CE3DB5468784

Function 00007FF6B9CDA99C Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CDA9D6
_CxxThrowException.LIBCMT ref: 00007FF6B9CDA9E7
std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CDA9F9
_CxxThrowException.LIBCMT ref: 00007FF6B9CDAA0A

Part of subcall function 00007FF6B9CDA6A0: std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CDA6D4
Part of subcall function 00007FF6B9CDA6A0: _CxxThrowException.LIBCMT ref: 00007FF6B9CDA6E5

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrowstd::bad_exception::bad_exception
String ID:
API String ID: 1480402491-0
Opcode ID: 52b6f9ac578ef59788abf9f234be2f52d284893acd74629aa72149f022c5e788
Instruction ID: aa048b468adb241a4ad4e8b04b023f5e41a6952b30ca25404085d51435f7c452
Opcode Fuzzy Hash: 52b6f9ac578ef59788abf9f234be2f52d284893acd74629aa72149f022c5e788
Instruction Fuzzy Hash: C9F06262A4891B81EE10AF2AD5561B92371FF45384F814531E78DC66EADF2DD506C340

Function 00007FF6B9CE9340 Relevance: 6.0, APIs: 4, Instructions: 21threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9CDD610), ref: 00007FF6B9CE934B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B9CDD610), ref: 00007FF6B9CE935A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT ref: 00007FF6B9CE9373
_CxxThrowException.LIBCMT ref: 00007FF6B9CE9384

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastPriorityThreadThrow
String ID:
API String ID: 152467346-0
Opcode ID: bd81974e09e3a9616df76e0388476f62eaa7e0dc68a4e20fee498b5bbef2bd85
Instruction ID: 73c16d310719c13bb5d7ef1a3ef03bcbef0ca12e3b67fd6015c6f5ed02ec0048
Opcode Fuzzy Hash: bd81974e09e3a9616df76e0388476f62eaa7e0dc68a4e20fee498b5bbef2bd85
Instruction Fuzzy Hash: B6E06565A18A4786EB14AF2AD80927523B1FF88748F908931D34DC65A4EF3DE50ACB40

Function 00007FF6B9CCC9B4 Relevance: 6.0, APIs: 4, Instructions: 19timeCOMMON

Download Yara Rule

APIs

UnregisterWaitEx.KERNEL32 ref: 00007FF6B9CCC9C8
Concurrency::details::platform::__DeleteTimerQueueTimer.LIBCMT ref: 00007FF6B9CCC9DB

Part of subcall function 00007FF6B9CC6000: DeleteTimerQueueTimer.KERNEL32 ref: 00007FF6B9CC6030

CloseHandle.KERNEL32 ref: 00007FF6B9CCC9E7
Concurrency::details::SchedulerBase::Finalize.LIBCMT ref: 00007FF6B9CCC9F9

Part of subcall function 00007FF6B9CCCAA4: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CCF973,?,?,00000000,00007FF6B9CCC335), ref: 00007FF6B9CCCACA
Part of subcall function 00007FF6B9CCCAA4: InterlockedFlushSList.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CCF973,?,?,00000000,00007FF6B9CCC335), ref: 00007FF6B9CCCB10
Part of subcall function 00007FF6B9CCCAA4: InterlockedFlushSList.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B9CCF973,?,?,00000000,00007FF6B9CCC335), ref: 00007FF6B9CCCB53
Part of subcall function 00007FF6B9CCCAA4: Concurrency::details::SchedulerBase::ThrowSchedulerEvent.LIBCMT ref: 00007FF6B9CCCBB0

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Timer$Scheduler$Base::CloseConcurrency::details::DeleteFlushHandleInterlockedListQueue$Concurrency::details::platform::__EventFinalizeThrowUnregisterWait
String ID:
API String ID: 1020705008-0
Opcode ID: 5d5854dba2f339c7cf30f9e02c3e4fad926736d1f37232c3274770b9356adc06
Instruction ID: be3dc2ed82a4a6e859e2a4e648e0f2723b7f0ae4d76c0c4d54a6475a5be0b1e4
Opcode Fuzzy Hash: 5d5854dba2f339c7cf30f9e02c3e4fad926736d1f37232c3274770b9356adc06
Instruction Fuzzy Hash: 5BE09262A0948281FB005F7A984D3BD2230EF44BB4F486331CE3E891EACF1980854354

Function 00007FF6B9CA59D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA8856

Part of subcall function 00007FF6B9CB06BC: _CxxThrowException.LIBCMT ref: 00007FF6B9CB06F9

std::_Xbad_alloc.LIBCPMT ref: 00007FF6B9CA88BF

Part of subcall function 00007FF6B9CB7C18: malloc.LIBCMT ref: 00007FF6B9CB7C32

Strings

vector<T> too long, xrefs: 00007FF6B9CA5A4E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Xbad_allocstd::_$ExceptionThrowmalloc
String ID: vector<T> too long
API String ID: 1779041212-3788999226
Opcode ID: ab913dcbeb243f7378f64ac265282a4f72605455fcb9a8e55051d2279df21308
Instruction ID: 209e3bed6dee21e815ecfa2f9f08c626394ee77cbf35e69a5f3575da46cd146a
Opcode Fuzzy Hash: ab913dcbeb243f7378f64ac265282a4f72605455fcb9a8e55051d2279df21308
Instruction Fuzzy Hash: 6351E272B05B8583EA14DF2AA449169A2B5FB44BE0F148631DFAC57BD9EF3CE441C304

Function 00007FF6B9CA6BF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA6DB3

Strings

+, xrefs: 00007FF6B9CA6D21
%, xrefs: 00007FF6B9CA6D0D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 6fa85a4a5f98d9b2edd65c8fc52f8eaba122c580845481ee6f06e08475fe2951
Instruction ID: af454b4035acc25f66e2aa36f41bf4e7d694679ca0e2dae952390733b359a2a2
Opcode Fuzzy Hash: 6fa85a4a5f98d9b2edd65c8fc52f8eaba122c580845481ee6f06e08475fe2951
Instruction Fuzzy Hash: 65514722E0CB8185FB228F39E5993BA6771FF553C4F145231DB8E93A99DF2CE4418600

Function 00007FF6B9CA6E30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA6FE7

Strings

%, xrefs: 00007FF6B9CA6F3D
+, xrefs: 00007FF6B9CA6F51

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: ba670cdc73b5d295f30c137456232ec9728c73304c93483a7b7d5d2b88c9bbc0
Instruction ID: 35f4e95ce86498c773e81ef98b0d6eb8bce07f6966465cf1c2eeb0c31c974b47
Opcode Fuzzy Hash: ba670cdc73b5d295f30c137456232ec9728c73304c93483a7b7d5d2b88c9bbc0
Instruction Fuzzy Hash: DC512922A0CB8189FB628F28E9593BA6771EF553C4F449231EB4D93B99DF3CE445C600

Function 00007FF6B9CA6AF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA6B99

Strings

%, xrefs: 00007FF6B9CA6B1E
+, xrefs: 00007FF6B9CA6B32

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 4f884a797e3be12bfada8cb5e3661bfcc9e2ec278513ca55729cd4a6a98e770f
Instruction ID: eb1802ae7efe87562ae7e0e4b21c6b1bc72b74669cb21381c97ef51e97ce99bd
Opcode Fuzzy Hash: 4f884a797e3be12bfada8cb5e3661bfcc9e2ec278513ca55729cd4a6a98e770f
Instruction Fuzzy Hash: 7021F15260CBC485E7258B19E4893EAB771EB95B84F449035DB8C03BCADF2CD509CB41

Function 00007FF6B9CA69F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA6A99

Strings

+, xrefs: 00007FF6B9CA6A32
%, xrefs: 00007FF6B9CA6A1E

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: bd2448649ee57e4d5998f2208d3a164235575cf06586aa510bff15654f418069
Instruction ID: 34292149d80875db9c7ec5ace2a5a12b92b2ffb5fc2fbd816cd47c6f06270b5f
Opcode Fuzzy Hash: bd2448649ee57e4d5998f2208d3a164235575cf06586aa510bff15654f418069
Instruction Fuzzy Hash: 1C21024260C7C484F7258B19E4893FAB7B1EB95B84F448035DB8D43B8ADF2CDA09C741

Function 00007FF6B9CA68F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA698F

Strings

%, xrefs: 00007FF6B9CA691E
+, xrefs: 00007FF6B9CA6931

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: c2ab8cbe4c38ac8b2161e06a6ed5e29d440f316e3521188a2708fde680d69b84
Instruction ID: 8599cffb3720c00f5590d980a7c0ff56582fca5dc103637ba1de71c23adc4823
Opcode Fuzzy Hash: c2ab8cbe4c38ac8b2161e06a6ed5e29d440f316e3521188a2708fde680d69b84
Instruction Fuzzy Hash: 9921FC5260C7C085E7218B2AE4493FAB770EBAA780F485035EBCC43B89DF2CD049CB51

Function 00007FF6B9CA67F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00007FF6B9CA688F

Strings

%, xrefs: 00007FF6B9CA681E
+, xrefs: 00007FF6B9CA6831

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 38663dba18d0d25d2075d16b7d25364ae185f2c545367c52f6517a1dd6074f36
Instruction ID: 46d12fd57a497a2891b917dd6073f3edb10555d73a05608185187a388a945fc4
Opcode Fuzzy Hash: 38663dba18d0d25d2075d16b7d25364ae185f2c545367c52f6517a1dd6074f36
Instruction Fuzzy Hash: 7021FE52A0C7C086E7218B18E4453EAB774EBA9798F445035EB8D43B89DF2CD045CB51

Function 00007FF6B9CEBD9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6B9CEBE61

Strings

csm, xrefs: 00007FF6B9CEBE1D
csm, xrefs: 00007FF6B9CEBDC4

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 761bbdb581a1da8e2284ec1f21cb742ae57594a5225517d28d8f09f6c435668e
Instruction ID: c9a07d0bfe9dfbb363495fe8714e724bca0a867c660f099c8c93bc712035efba
Opcode Fuzzy Hash: 761bbdb581a1da8e2284ec1f21cb742ae57594a5225517d28d8f09f6c435668e
Instruction Fuzzy Hash: 4031EA77514B05CAEB608F6AC0852B83B75F758B9DF4A1225E70E4BB54CF39E890C784

Function 00007FF6B9CE70C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 00007FF6B9CE70ED

Part of subcall function 00007FF6B9CBAE18: malloc.LIBCMT ref: 00007FF6B9CBAE43
Part of subcall function 00007FF6B9CBAE18: Sleep.KERNEL32(?,?,?,00007FF6B9CB93C0,?,?,?,00007FF6B9CB92BF), ref: 00007FF6B9CBAE56

_CxxThrowException.LIBCMT ref: 00007FF6B9CE7131

Part of subcall function 00007FF6B9CB87F8: RtlPcToFileHeader.KERNEL32 ref: 00007FF6B9CB8887
Part of subcall function 00007FF6B9CB87F8: RaiseException.KERNEL32 ref: 00007FF6B9CB88C6

Strings

bad allocation, xrefs: 00007FF6B9CE70FA

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Exception$FileHeaderRaiseSleepThrow_malloc_crtmalloc
String ID: bad allocation
API String ID: 340456944-2104205924
Opcode ID: 35f1bc3740df1caf6d7d07bf89e0cc798afd3c848886c57562113992f615682e
Instruction ID: 2d528af39ce5451a0fb6b4c71a3e2fb0fb0cd6617ebc74d3b8a0e7ab9a2ef596
Opcode Fuzzy Hash: 35f1bc3740df1caf6d7d07bf89e0cc798afd3c848886c57562113992f615682e
Instruction Fuzzy Hash: 53216F32614F8292EB10CF19E88426973B4FB89BA4F588235DB9D477A4DF3CE565C740

Function 00007FF6B9CBC77A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF6B9CBC805

Strings

!, xrefs: 00007FF6B9CBC831
sqrt, xrefs: 00007FF6B9CBC7F9

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _handle_error
String ID: !$sqrt
API String ID: 1757819995-799759792
Opcode ID: 062c47d617d1b06cc8f9885f04ed537725f66ac90b938101cb89aa41ff868c8d
Instruction ID: 859271c4fee0be3bb325f93b42bdd80da73e2dd8f73fa2bfdaf523edb8ad7bc9
Opcode Fuzzy Hash: 062c47d617d1b06cc8f9885f04ed537725f66ac90b938101cb89aa41ff868c8d
Instruction Fuzzy Hash: 4721C272D58BC983D711CF69A04436A7671FFD67A4F200325EB6816ACACF2DD0808B00

Function 00007FF6B9CEBE91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B9CB8CA0: _getptd.LIBCMT ref: 00007FF6B9CB8CAD
Part of subcall function 00007FF6B9CB8CA0: _inconsistency.LIBCMT ref: 00007FF6B9CB8CBB
Part of subcall function 00007FF6B9CB8CA0: _getptd.LIBCMT ref: 00007FF6B9CB8CC0
Part of subcall function 00007FF6B9CB8CA0: _inconsistency.LIBCMT ref: 00007FF6B9CB8CDC

_getptd.LIBCMT ref: 00007FF6B9CEBEE4
_getptd.LIBCMT ref: 00007FF6B9CEBEF7

Part of subcall function 00007FF6B9CB8D30: _getptd.LIBCMT ref: 00007FF6B9CB8D39

Strings

csm, xrefs: 00007FF6B9CEBEB1

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _getptd$_inconsistency
String ID: csm
API String ID: 1773999731-1018135373
Opcode ID: cc382658ad257d6a53cdc3de2009e2b9ead7a3f4f7326b46ffc43048dfa9dc90
Instruction ID: e24ca323792de54888e4aafeb778acf1d6ffc46a6338817d5063adb9b5b2876a
Opcode Fuzzy Hash: cc382658ad257d6a53cdc3de2009e2b9ead7a3f4f7326b46ffc43048dfa9dc90
Instruction Fuzzy Hash: D90144229046828ADBA4DF36C8592BD2374EB55799F041432FB0D87745DF28E880C780

Function 00007FF6B9CDBB84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00007FF6B9CDBBD4
_CxxThrowException.LIBCMT ref: 00007FF6B9CDBBF1

Strings

pContext, xrefs: 00007FF6B9CDBBBE

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception
String ID: pContext
API String ID: 4279132481-2046700901
Opcode ID: 9a9254acd0818dea865ed3536d1d2b2c234e7448caf268871d4950f6f5e143a4
Instruction ID: da5457f4719814dba526633689b2a7c703127e7b73ab919f6d1cedb9b81ea1f1
Opcode Fuzzy Hash: 9a9254acd0818dea865ed3536d1d2b2c234e7448caf268871d4950f6f5e143a4
Instruction Fuzzy Hash: 70F06966A08B4A91DE14DF19E198169A371FB88BC8B448031DB9D87B68EF7CD158CB00

Function 00007FF6B9CBC778 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF6B9CBC805

Strings

sqrt, xrefs: 00007FF6B9CBC7F9
!, xrefs: 00007FF6B9CBC7E9

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: _handle_error
String ID: !$sqrt
API String ID: 1757819995-799759792
Opcode ID: 9ee81001ab96a3020d92c62d35741d9657c359ef35bf3942f53d73308bbadfc5
Instruction ID: e0750bb44a57d1d776bd54178da378746dc0e5706435c25ad70bbba9b9951810
Opcode Fuzzy Hash: 9ee81001ab96a3020d92c62d35741d9657c359ef35bf3942f53d73308bbadfc5
Instruction Fuzzy Hash: B8F0D172E58B8982D700CF54E4453777632EFEB794F204326EA5C4AB89DF2DE0808B00

Function 00007FF6B9CE0888 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00007FF6B9CE08B3
_CxxThrowException.LIBCMT ref: 00007FF6B9CE08D0

Strings

pThreadProxy, xrefs: 00007FF6B9CE089D

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception
String ID: pThreadProxy
API String ID: 4279132481-3651400591
Opcode ID: 3b6d5a5437ee8c8c730aa7db00305f52f2161aba5272be33be333d17a79e59f8
Instruction ID: bb1c61e422e47e0fd15caabdf0d42a66843004425d364e7a34e2e0d887d386e9
Opcode Fuzzy Hash: 3b6d5a5437ee8c8c730aa7db00305f52f2161aba5272be33be333d17a79e59f8
Instruction Fuzzy Hash: 59E03076A08B4B91DD24DF48E05919963B4FB45388F904531D39C87B64DF7CE20ACB00

Function 00007FF6B9CE911D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CE912F

Part of subcall function 00007FF6B9CB4C48: std::bad_exception::bad_exception.LIBCMT ref: 00007FF6B9CB4C51

_CxxThrowException.LIBCMT ref: 00007FF6B9CE9140

Part of subcall function 00007FF6B9CB87F8: RtlPcToFileHeader.KERNEL32 ref: 00007FF6B9CB8887
Part of subcall function 00007FF6B9CB87F8: RaiseException.KERNEL32 ref: 00007FF6B9CB88C6

Strings

Access violation - no RTTI data!, xrefs: 00007FF6B9CE9123

Memory Dump Source

Source File: 00000000.00000002.1698382434.00007FF6B9C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6B9C80000, based on PE: true

Associated: 00000000.00000002.1698297531.00007FF6B9C80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698422664.00007FF6B9CF1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698445077.00007FF6B9D13000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698499589.00007FF6B9D1A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6b9c80000_wnGDKyXdAo.jbxd

Similarity

API ID: Exceptionstd::bad_exception::bad_exception$FileHeaderRaiseThrow
String ID: Access violation - no RTTI data!
API String ID: 2866377151-2158758863
Opcode ID: 23997e88545030d1aea56eb2b441ca10bd2c9bedac894ae6f7fbeb74f77f7ac1
Instruction ID: 21b9712b15115d7511ccee370a7fdd4db27c6cfa6999928000da8dd3df6480cc
Opcode Fuzzy Hash: 23997e88545030d1aea56eb2b441ca10bd2c9bedac894ae6f7fbeb74f77f7ac1
Instruction Fuzzy Hash: 1EE04F27618A8A91DB41CF09F4447A96330F785398F815172EF1C83659DF3DD98BC704

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wnGDKyXdAo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: wnGDKyXdAo.exePID: 5016, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 2872, Parent PID: 5016

General

Chronological Activities

Disassembly

Windows Analysis Report
wnGDKyXdAo.exe

Function 00007FF6B9CC2644 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Function 00007FF6B9CB7C18 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73
COMMONLIBRARYCODE

Function 00007FF6B9CB7CC5 Relevance: 21.1, APIs: 14, Instructions: 76
COMMON

Function 00007FF6B9CD5528 Relevance: 16.6, APIs: 11, Instructions: 81
COMMONLIBRARYCODE

Function 00007FF6B9CC4E1C Relevance: 15.1, APIs: 10, Instructions: 67
COMMONLIBRARYCODE

Function 00007FF6B9CC2314 Relevance: 15.1, APIs: 10, Instructions: 67
COMMONLIBRARYCODE

Function 00007FF6B9CC2564 Relevance: 13.6, APIs: 9, Instructions: 67
COMMONLIBRARYCODE

Function 00007FF6B9CC36E8 Relevance: 13.6, APIs: 9, Instructions: 57
COMMONLIBRARYCODE

Function 00007FF6B9CA3A00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195
COMMON

Function 00007FF6B9C8DF90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103
networkCOMMON

Function 00007FF6B9CA35E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 198
COMMON

Function 00007FF6B9CB0974 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 00007FF6B9CC741C Relevance: 4.6, APIs: 3, Instructions: 65
COMMONLIBRARYCODE

Function 00007FF6B9C8DE90 Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Function 00007FF6B9CA3D00 Relevance: 3.1, APIs: 2, Instructions: 69
COMMON