Edit tour

Windows Analysis Report
praxisbackup.exe

Overview

General Information

Sample name:	praxisbackup.exe
Analysis ID:	1541092
MD5:	dbf8fe8bde46ead1bc550a03ad4a3f74
SHA1:	888f27dd2269119cf9524474a6a0b559d0d201a1
SHA256:	ca601708a3822d4f1fbea39171c8d5e94c0b8741f35a5a2fb63cd6d71da29b1a
Tags:	exeMS4Killeruser-smica83
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Sample is not signed and drops a device driver

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables driver privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

praxisbackup.exe (PID: 4136 cmdline: "C:\Users\user\Desktop\praxisbackup.exe" MD5: DBF8FE8BDE46EAD1BC550A03AD4A3F74)

WerFault.exe (PID: 1020 cmdline: C:\Windows\system32\WerFault.exe -u -p 4136 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 4060 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5012 cmdline: C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 4060, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: praxisbackup.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: praxisbackup.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 85.8% probability

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218BB80 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,HeapFree,CreateNamedPipeW,GetLastError,BCryptGenRandom,BCryptGenRandom,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,BCryptGenRandom,HeapFree,	0_2_00007FF64218BB80
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642192750 BCryptGenRandom,	0_2_00007FF642192750
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642192730 BCryptGenRandom,	0_2_00007FF642192730

Source: praxisbackup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\itm_mon\itm_mon_3.0.0.4\driver\objfre_wlh_amd64\amd64\Probmon.pdb source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642181A20 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF642181A20
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A08D8 FindFirstFileExW,		0_2_00007FF6421A08D8

Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642161C00 FilterConnectCommunicationPort,GetCommandLineW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenSCManagerW,OpenServiceW,FilterLoad,CloseServiceHandle,CloseServiceHandle,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,PdhOpenQueryA,HeapFree,NtQuerySystemInformation,HeapFree,HeapFree,HeapFree,AcquireSRWLockExclusive,HeapFree,Sleep,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,Sleep,FilterConnectCommunicationPort,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,PdhRemoveCounter,CloseHandle,GetLastError,HeapFree,PdhCloseQuery,HeapFree,HeapFree,HeapFree,FilterSendMessage,HeapFree,CloseHandle,HeapFree,HeapFree,	0_2_00007FF642161C00
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642179610 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_00007FF642179610
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421963E0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,GetProcessMemoryInfo,GetLastError,GetLastError,GetModuleFileNameExW,HeapFree,	0_2_00007FF6421963E0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642197A50 NtQueryInformationProcess,NtQueryInformationProcess,HeapFree,HeapFree,	0_2_00007FF642197A50
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421637C9 NtQuerySystemInformation,	0_2_00007FF6421637C9
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64216381D HeapFree,NtQuerySystemInformation,	0_2_00007FF64216381D

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\Drivers\Sysprox.sys

Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\Drivers\Sysprox.sys

Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\Drivers\Sysprox.sys

Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642199350	0_2_00007FF642199350
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642161C2B	0_2_00007FF642161C2B
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642161C00	0_2_00007FF642161C00
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218BB80	0_2_00007FF64218BB80
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421963E0	0_2_00007FF6421963E0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64216CC20	0_2_00007FF64216CC20
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642163C3B	0_2_00007FF642163C3B
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642198450	0_2_00007FF642198450
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218A4B0	0_2_00007FF64218A4B0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421654B8	0_2_00007FF6421654B8
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64217ACC0	0_2_00007FF64217ACC0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642176970	0_2_00007FF642176970
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642194140	0_2_00007FF642194140
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642171990	0_2_00007FF642171990
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64217C190	0_2_00007FF64217C190
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421991C0	0_2_00007FF6421991C0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642193210	0_2_00007FF642193210
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642168280	0_2_00007FF642168280
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421AC2C0	0_2_00007FF6421AC2C0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421942C0	0_2_00007FF6421942C0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421AB2D0	0_2_00007FF6421AB2D0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64219EF40	0_2_00007FF64219EF40
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A97B0	0_2_00007FF6421A97B0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64217D870	0_2_00007FF64217D870
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421830B5	0_2_00007FF6421830B5
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642192880	0_2_00007FF642192880
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642170090	0_2_00007FF642170090
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642180090	0_2_00007FF642180090
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A08D8	0_2_00007FF6421A08D8
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642170920	0_2_00007FF642170920
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64216B910	0_2_00007FF64216B910
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642195D60	0_2_00007FF642195D60
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642198D60	0_2_00007FF642198D60
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64216ADA0	0_2_00007FF64216ADA0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218B5B0	0_2_00007FF64218B5B0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64217C5B0	0_2_00007FF64217C5B0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218A660	0_2_00007FF64218A660
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A7EA8	0_2_00007FF6421A7EA8
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64217CEF0	0_2_00007FF64217CEF0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64218F6D0	0_2_00007FF64218F6D0
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642188720	0_2_00007FF642188720

Source: C:\Users\user\Desktop\praxisbackup.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: String function: 00007FF642168810 appears 78 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136

Source: praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameprobmon.sys4 vs praxisbackup.exe

Source: classification engine

Classification label: mal72.evad.winEXE@7/8@0/0

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF64217ACC0 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,HeapFree,

0_2_00007FF64217ACC0

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642161C2B FilterConnectCommunicationPort,HeapFree,GetCurrentProcessId,FilterSendMessage,HeapFree,CloseHandle,HeapFree,GetProcessHeap,HeapFree,GetCommandLineW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,HeapFree,LookupPrivilegeValueW,HeapFree,AdjustTokenPrivileges,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,OpenSCManagerW,HeapFree,OpenServiceW,GetLastError,CreateServiceW,HeapFree,RegOpenKeyW,HeapFree,RegCreateKeyW,HeapFree,RegCreateKeyW,HeapFree,RegSetValueExW,HeapFree,RegSetValueExW,HeapFree,HeapFree,FilterLoad,CloseServiceHandle,HeapFree,CloseServiceHandle,HeapFree,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,HeapFree,HeapFree,		0_2_00007FF642161C2B
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642161C00 FilterConnectCommunicationPort,GetCommandLineW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenSCManagerW,OpenServiceW,FilterLoad,CloseServiceHandle,CloseServiceHandle,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,PdhOpenQueryA,HeapFree,NtQuerySystemInformation,HeapFree,HeapFree,HeapFree,AcquireSRWLockExclusive,HeapFree,Sleep,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,Sleep,FilterConnectCommunicationPort,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,PdhRemoveCounter,CloseHandle,GetLastError,HeapFree,PdhCloseQuery,HeapFree,HeapFree,HeapFree,FilterSendMessage,HeapFree,CloseHandle,HeapFree,HeapFree,		0_2_00007FF642161C00

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: FilterConnectCommunicationPort,HeapFree,GetCurrentProcessId,FilterSendMessage,HeapFree,CloseHandle,HeapFree,GetProcessHeap,HeapFree,GetCommandLineW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,HeapFree,LookupPrivilegeValueW,HeapFree,AdjustTokenPrivileges,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,OpenSCManagerW,HeapFree,OpenServiceW,GetLastError,CreateServiceW,HeapFree,RegOpenKeyW,HeapFree,RegCreateKeyW,HeapFree,RegCreateKeyW,HeapFree,RegSetValueExW,HeapFree,RegSetValueExW,HeapFree,HeapFree,FilterLoad,CloseServiceHandle,HeapFree,CloseServiceHandle,HeapFree,HeapFree,GlobalMemoryStatusEx,GetLastError,K32GetPerformanceInfo,PdhCollectQueryData,HeapFree,HeapFree,

0_2_00007FF642161C2B

Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4136

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\04940959-5de7-442f-b0ab-e767a510a4d1

Jump to behavior

Source: praxisbackup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\praxisbackup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: praxisbackup.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\praxisbackup.exe "C:\Users\user\Desktop\praxisbackup.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
Source: C:\Users\user\Desktop\praxisbackup.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\praxisbackup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior

Source: praxisbackup.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: praxisbackup.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: praxisbackup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF64218F6D0 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,RtlCaptureContext,RtlLookupFunctionEntry,GetCurrentProcessId,CreateMutexA,CloseHandle,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,HeapFree,GetLastError,HeapFree,HeapFree,

0_2_00007FF64218F6D0

Source: praxisbackup.exe

Static PE information: section name: _RDATA

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\Drivers\Sysprox.sys

Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\drivers\Sysprox.sys

Jump to dropped file

Source: C:\Users\user\Desktop\praxisbackup.exe

File created: C:\Windows\System32\drivers\Sysprox.sys

Jump to dropped file

Source: C:\Users\user\Desktop\praxisbackup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sysprox\Instances

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\Desktop\praxisbackup.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

graph_0-33367

Source: C:\Users\user\Desktop\praxisbackup.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\Sysprox.sys

Jump to dropped file

Source: C:\Users\user\Desktop\praxisbackup.exe

API coverage: 5.9 %

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF642181A20 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF642181A20
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A08D8 FindFirstFileExW,		0_2_00007FF6421A08D8

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF642192880 HeapFree,GetSystemInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_00007FF642192880

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\praxisbackup.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_0-33367

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF64219A790 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF64219A790

Source: C:\Users\user\Desktop\praxisbackup.exe

0_2_00007FF64218F6D0

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF642199350 GetProcessHeap,HeapAlloc,SysFreeString,SysStringLen,FormatMessageW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00007FF642199350

Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF6421A842C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6421A842C
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64219A938 SetUnhandledExceptionFilter,	0_2_00007FF64219A938
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64219A790 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF64219A790
Source: C:\Users\user\Desktop\praxisbackup.exe	Code function: 0_2_00007FF64219FE9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF64219FE9C

Source: C:\Users\user\Desktop\praxisbackup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4136 -s 488			Jump to behavior

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF6421A7CF0 cpuid

0_2_00007FF6421A7CF0

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF64218BB80 BCryptGenRandom,GetCurrentProcessId,BCryptGenRandom,HeapFree,CreateNamedPipeW,GetLastError,BCryptGenRandom,BCryptGenRandom,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,BCryptGenRandom,HeapFree,

0_2_00007FF64218BB80

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF6421963E0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,GetProcessMemoryInfo,GetLastError,GetLastError,GetModuleFileNameExW,HeapFree,

0_2_00007FF6421963E0

Source: C:\Users\user\Desktop\praxisbackup.exe

Code function: 0_2_00007FF642197CD1 HeapFree,HeapFree,RtlGetVersion,

0_2_00007FF642197CD1

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	21 Windows Service	1 Access Token Manipulation	3 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 LSASS Driver	21 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	12 Process Injection	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 LSASS Driver	1 Access Token Manipulation	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	12 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
praxisbackup.exe	53%	ReversingLabs	Win64.Trojan.Generic
praxisbackup.exe	100%	Avira	TR/Agent.ziksx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\drivers\Sysprox.sys	4%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://secure.globalsign.net/cacert/PrimObject.crt0	praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	false		unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09	praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	false		unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://www.globalsign.net/repository09	praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	false		unknown
http://www.globalsign.net/repository/0	praxisbackup.exe, 00000000.00000002.2174354870.000000D6B4CF5000.00000004.00000010.00020000.00000000.sdmp, Sysprox.sys.0.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541092
Start date and time:	2024-10-24 12:07:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	praxisbackup.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@7/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 109
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: praxisbackup.exe

Simulations

Behavior and APIs

Time	Type	Description
06:08:01	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_praxisbackup.exe_fa851c8bd9c5583f741cfa88ae4a1244eeb19db5_9be301e6_7c27b446-6383-4edf-b7b5-fb839c6564ce\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8003036856596354
Encrypted:	false
SSDEEP:	96:1B/FUtYUf50RsU7hqfUp7qabSKQXIDcQGc6aTcEYcw35nF+HbHg/opAnQVxj7OU7:DDJRqHB0osC0j1CizuiFfZ24lO8M5
MD5:	E4E30391A3AC425A15CEFE6B7BC4270B
SHA1:	875CA407E37F52A65C7179A17570ED84AB3E1EC2
SHA-256:	857D64934963626D489EB3C5874164B46719D4DDA065ED8056E43C1A1EA352B3
SHA-512:	6387F8C5AB64275599C7D8643B0681179A57C51AD96B870A3B92114DFF5E4BCCF9311B7DA227B2141FC501527D74DE3C6E8B1DFC40AE5BF0ED70C300DF3BD189
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.2.3.8.0.7.8.6.1.4.0.7.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.2.3.8.0.7.8.9.2.6.5.6.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.2.7.b.4.4.6.-.6.3.8.3.-.4.e.d.f.-.b.7.b.5.-.f.b.8.3.9.c.6.5.6.4.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.a.8.a.b.0.c.-.6.5.8.2.-.4.9.c.e.-.a.d.e.c.-.f.d.6.2.f.e.3.b.9.3.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.r.a.x.i.s.b.a.c.k.u.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.2.8.-.0.0.0.1.-.0.0.1.5.-.9.0.2.c.-.e.d.9.9.f.c.2.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.2.9.1.a.2.a.1.1.6.2.1.1.c.0.7.8.3.f.7.3.1.b.e.5.4.6.3.b.1.c.e.0.0.0.0.f.f.f.f.!.0.0.0.0.8.8.8.f.2.7.d.d.2.2.6.9.1.1.9.c.f.9.5.2.4.4.7.4.a.6.a.0.b.5.5.9.d.0.d.2.0.1.a.1.!.p.r.a.x.i.s.b.a.c.k.u.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7././.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2F.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Oct 24 10:07:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	82532
Entropy (8bit):	1.7109558267026694
Encrypted:	false
SSDEEP:	192:h8kDJdQUVZl4S7OQu7clAVW1/He+Z7vflPHGhTfXf20Eu:h7QECQu7OAmfHGNfuru
MD5:	1C9C0B7CBAB35B81A9E063691F1E4B17
SHA1:	93FAD0AA7750E9E8E0AE8FCA49C0B7A45A2E45E1
SHA-256:	23A97CF4DEBEE6D62A09CB74C1AFCC481E3F92A288545558ED4A98D182F99005
SHA-512:	DD2F930BDD24A8390AE41E953EC361AB000EEC089FEC41BBCFA6EFBB7B5CC2C258CC37EA077F093AE12E8FA8A5D3EFADD898F6C7B4CB56FC0E5DE72AACB585BF
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......~..g........................h................+..........`.......8...........T...........H..../..................................................................................................................eJ..............Lw......................T.......(...~..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBAD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8610
Entropy (8bit):	3.695174274762487
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+eP3rL6Y2DuiA5gmfK9pDM89b50Tgfzjim:R6lXJXP3rL6YziA5gmfKB500fnz
MD5:	A27AE78CD5F93AAFEE92FD3AAFE0A60F
SHA1:	1067FC04B0F17579ACEE463E6ED7D7EEA4F17D88
SHA-256:	2CF5D29FE39B2826ACAC7B58C8C346984D87691C13B5B92CE29FF92F1E44AFFA
SHA-512:	433412B8D277C07CC2C100BFC4AD356CCB2214FB72945EEA0B00F5B7E12601B31D57551CB00565A2B8082324BDC189A767ADB9C64A41B8CF8C58F8D7BA8D8A8B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBED.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	4.434759248687144
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg771I9ikwWpW8VY0Ym8M4JQoHhFSIoyq8vlHNvXVtsMXd:uIjf5I7UJ7VoJQ8uIoWtNvFtDXd
MD5:	6A4D41754AA66C47B93A307BBAEDB6EA
SHA1:	CABF23089547681AEA10AF838B9245F2EFD7BECC
SHA-256:	9D5FF394F5C064E9FB24865CEC2B146E43F023FA2DEF439598A4726D8E447581
SHA-512:	B8DDF0D8DC0DFFDC926F66B1439FC53C1E5DF7E4710808403F73F0DD6F0BD82BD8ECB6FA7E7DB4B052FD6726F7B52A0F0CF807ED2FCBAC894CC41E4004293A06
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="557350" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFA.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75858
Entropy (8bit):	3.08239652802643
Encrypted:	false
SSDEEP:	1536:l5rTjwmhCXU2aMOQVavZQAIvumulCxznl0:l5rTjwmhCXU2aMOQVaBQAIvumulCxznK
MD5:	C68947A43DA933A02D10DC6501863A9D
SHA1:	DE7AD3D3CB1FFFA01AA5A1864341A24D0EDEE7D5
SHA-256:	5EB9B1100E3503FCF1D787A588FEE4988C9B16A45A03089711E16BBC71234B64
SHA-512:	B08A8E7F80C482B6106FF35CA2F2246B00249CA9284BB9C0AF2A277D2512745277F3568CD3EC86BA3717200E94878F875DD02DB09B57FE73E725E357A42C42B8
Malicious:	false
Reputation:	low
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3A.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.684535737226691
Encrypted:	false
SSDEEP:	96:TiZYW7Puya+zYRYRiWm5HFUYEZybtk0iVHlKV8wdj4xnyaBICM9acNIL93:2ZD7OMWmU3zdaBICM93SL93
MD5:	2C0A842216FB16D36C2B03DD596406C5
SHA1:	479CFAD5D33072FB541BA1DB7C57F86E1AA23FBB
SHA-256:	B838E2AE32872C21562E580366AC68B0018FA8CB9C736D18097F18ADDD4D49ED
SHA-512:	4D2FB7F2E75F3102E622B56F31C595D9A6D311C9745145F4FF737A85FDDEBB95E52E8EF0BDB332F7BF517894C91CB8DF7238402DA402E0F45B026BD00A57A758
Malicious:	false
Reputation:	low
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Windows\System32\drivers\Sysprox.sys

Download File

Process:	C:\Users\user\Desktop\praxisbackup.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30864
Entropy (8bit):	6.396093720120602
Encrypted:	false
SSDEEP:	384:s33h+malYtzO7zmQ++jiPV+PQ6eg3OOAFN0rA1Ghj8mfFxf3xlSUYJLdSkjGZfdG:yx8YPoj8L6WOqGSfmb3C5Ltiq
MD5:	8C8C93A6B6C6D6E632A54877FC1A209E
SHA1:	7310D6399683BA3EB2F695A2071E0E45891D743B
SHA-256:	023D722CBBDD04E3DB77DE7E6E3CFEABCEF21BA5B2F04C3F3A33691801DD45EB
SHA-512:	E3EDC27A93979AE757CAB65169BBC82C4FF28C3262D3D7DA89A88A88D8D273260D2802EB1F1EABB9158A625CCA17119590C83567831F4C5A9243FE09DD5909D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..pa..#a..#a..#h..#`..#h..#b..#a..#M..#FT.#d..#FT.#`..#h..#l..#h..#c..#FT.#`..#h..#`..#h..#`..#h..#`..#Richa..#........................PE..d...Q\.N.........."......F..........T...........................................................................................................<.......0....p..h....Z..............`Q...............................................P..`............................text....9.......:.................. ..h.rdata.......P.......>..............@..H.data........`.......D..............@....pdata..h....p.......F..............@..HINIT....0............H.............. ....rsrc...0............T..............@..B.reloc..l............X..............@..B................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468765901031446
Encrypted:	false
SSDEEP:	6144:RzZfpi6ceLPx9skLmb0f9ZWSP3aJG8nAgeiJRMMhA2zX4WABluuN3jDH5S:JZHt9ZWOKnMM6bFp9j4
MD5:	6D5FA8CB6F332E7E7C4DA2A066D7C376
SHA1:	E02DCA77F18BDF36532B5CD94ED2E8977E15B32F
SHA-256:	1AB2B95CEE914853C66A7A99852D5696074B94706954DBA1CB28C62C1F4CD58B
SHA-512:	7E148D78BA0EC87E844960C306809E7853EEF1A0E1A166A655B299590444E238D8458618ED5FA61C10F91744CEC1E753AFB4240A5D28957C102CD9BBAD0283E2
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.]...%..............................................................................................................................................................................................................................................................................................................................................t...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.500561305430131
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	praxisbackup.exe
File size:	455'168 bytes
MD5:	dbf8fe8bde46ead1bc550a03ad4a3f74
SHA1:	888f27dd2269119cf9524474a6a0b559d0d201a1
SHA256:	ca601708a3822d4f1fbea39171c8d5e94c0b8741f35a5a2fb63cd6d71da29b1a
SHA512:	cfcaee08a31394c4275f397ed6e71fa8c0009204f0c9cbfd2afbfcac6cc9b0245b34546196f994012afcbbdd642e15ad24bd54c315dbc01d1f45d6e6e3b92ccb
SSDEEP:	6144:+21l/vZY5g2hjEP1HAdYn8EQaQuNVChDb0/ejTEM3KDpaCx+n36GBdPhow499:+233ZY59+zrnOPSeg1E8+nqQU
TLSH:	E5A46D56B69618FCE06AC07487479662B97674850F31BDEF02E4C6302F66AE16F3CF60
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q=...S...S...S..hP...S..hV...S..hW...S..oV...S..oW...S..oP...S..hR...S...R.7.S...S...S...Q...S.Rich..S.................PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14003a370
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A223AC [Thu Jul 25 10:06:36 2024 UTC]
TLS Callbacks:	0x40017910, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	37fe08ddc1d4080dbc99a7c5239f84e1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F52E89094C8h
dec eax
add esp, 28h
jmp 00007F52E8909047h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007F52E89091E8h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a0dc	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6e000	0x2c64	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0xb3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x64560	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x64580	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x64420	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4d000	0x568	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c000	0x4c000	d383c507f0669d59dc3072fa7d1be25b	False	0.5349956311677632	data	6.367339784179062	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4d000	0x1e43e	0x1e600	f86dd3ef117d34ae5a3dbb746a1c7bcc	False	0.5475742669753086	data	6.286081709132401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6c000	0x1e28	0xc00	534bc851862c7bb90d1f63e918a2365d	False	0.14811197916666666	data	2.0534634817214195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6e000	0x2c64	0x2e00	fa226992598a99845a4359c1a18260d9	False	0.49006453804347827	data	5.554780329580169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x71000	0x15c	0x200	6516a0d0a52941e212f00c3abf77a223	False	0.40625	data	3.3597801501968023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0xb3c	0xc00	bcff3c31ad984a0c19f40e73aa8331a8	False	0.5475260416666666	data	5.31623579190179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	RtlUnwindEx, NtQuerySystemInformation, RtlGetVersion, NtQueryInformationProcess, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlNtStatusToDosError, NtWriteFile, RtlPcToFileHeader
ADVAPI32.dll	OpenSCManagerW, CopySid, GetLengthSid, IsValidSid, GetTokenInformation, SystemFunction036, CloseServiceHandle, RegSetValueExW, RegCreateKeyW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, CreateServiceW, OpenServiceW, RegOpenKeyW
KERNEL32.dll	GetCPInfo, WideCharToMultiByte, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, OpenProcess, HeapFree, CloseHandle, GetLastError, HeapReAlloc, GetCurrentProcessId, GetProcessHeap, GetCommandLineW, GetCurrentProcess, GlobalMemoryStatusEx, K32GetPerformanceInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, Sleep, WaitForSingleObject, GetExitCodeProcess, AddVectoredExceptionHandler, SetThreadStackGuarantee, SwitchToThread, SleepConditionVariableSRW, WakeConditionVariable, WakeAllConditionVariable, GetSystemInfo, GetModuleHandleA, GetProcAddress, GetCurrentThread, TryAcquireSRWLockExclusive, GetStdHandle, GetConsoleMode, MultiByteToWideChar, WriteConsoleW, SetLastError, GetModuleHandleW, FormatMessageW, GetEnvironmentVariableW, GetModuleFileNameW, CreateFileW, SetFileInformationByHandle, GetFullPathNameW, GetFileInformationByHandle, GetFileInformationByHandleEx, FindFirstFileW, FindClose, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, CreateNamedPipeW, CreateThread, ReadFileEx, SleepEx, WriteFileEx, ExitProcess, GetSystemTimeAsFileTime, HeapAlloc, GetCurrentDirectoryW, CreateMutexA, WaitForSingleObjectEx, LoadLibraryA, ReleaseMutex, AcquireSRWLockShared, ReleaseSRWLockShared, GetProcessTimes, GetOEMCP, ReadProcessMemory, VirtualQueryEx, GetSystemTimes, GetProcessIoCounters, LocalFree, LoadLibraryExA, FreeLibrary, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, SetFilePointerEx, GetConsoleOutputCP, FlushFileBuffers, HeapSize, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetCommandLineA, FlsGetValue, GetModuleHandleExW, FlsAlloc, TerminateProcess, WriteFile, QueryPerformanceCounter, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, EncodePointer, RaiseException, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW
fltlib.dll	FilterLoad, FilterSendMessage, FilterConnectCommunicationPort
pdh.dll	PdhCollectQueryData, PdhGetFormattedCounterValue, PdhAddEnglishCounterW, PdhOpenQueryA, PdhRemoveCounter, PdhCloseQuery
bcrypt.dll	BCryptGenRandom
psapi.dll	GetModuleFileNameExW, GetProcessMemoryInfo
shell32.dll	CommandLineToArgvW
powrprof.dll	CallNtPowerInformation
oleaut32.dll	GetErrorInfo, SysStringLen, SysFreeString

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 12:08:41.695358992 CEST	53	61755	162.159.36.2	192.168.2.6
Oct 24, 2024 12:08:42.434678078 CEST	53	56726	1.1.1.1	192.168.2.6

Target ID:	0
Start time:	06:07:58
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\praxisbackup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\praxisbackup.exe"
Imagebase:	0x7ff642160000
File size:	455'168 bytes
MD5 hash:	DBF8FE8BDE46EAD1BC550A03AD4A3F74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:07:58
Start date:	24/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:07:58
Start date:	24/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 476 -p 4136 -ip 4136
Imagebase:	0x7ff67b750000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:07:58
Start date:	24/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4136 -s 488
Imagebase:	0x7ff67b750000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 00007FF642161C2B Relevance: 113.8, APIs: 52, Strings: 12, Instructions: 1808memorywindowCOMMON

Download Yara Rule

APIs

FilterConnectCommunicationPort.FLTLIB ref: 00007FF642161C53
HeapFree.KERNEL32 ref: 00007FF642161C93
GetCurrentProcessId.KERNEL32 ref: 00007FF642161CE8
FilterSendMessage.FLTLIB ref: 00007FF642161D29
HeapFree.KERNEL32 ref: 00007FF642161D64
CloseHandle.KERNEL32 ref: 00007FF642161D6D
HeapFree.KERNEL32 ref: 00007FF642161DA8
GetProcessHeap.KERNEL32 ref: 00007FF642161DC1
HeapFree.KERNEL32 ref: 00007FF642161DCF
GetCommandLineW.KERNEL32 ref: 00007FF642161F53

Strings

prox.sys, xrefs: 00007FF642162803
Altitude, xrefs: 00007FF642162E7C
SeLoadDriverPrivilege, xrefs: 00007FF6421626BB
Instances, xrefs: 00007FF642162C85
lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF64216641D
key_used disappeared, xrefs: 00007FF64216636C
a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs, xrefs: 00007FF6421664A8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642161EE7, 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
DefaultInstance, xrefs: 00007FF642162DFF
Total CP, xrefs: 00007FF64216346F
145610, xrefs: 00007FF642162E4D, 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$Free$FilterProcess$CloseCommandCommunicationConnectCurrentHandleLineMessagePortSend
String ID: 145610$Altitude$DefaultInstance$Instances$SeLoadDriverPrivilege$Total CP$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs$key_used disappeared$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs$prox.sys
API String ID: 3801287639-683359153
Opcode ID: 0a1ee703c9f6c6cd9522429e7abf1e7fd968c1f66fe1a50610399dca9d061c00
Instruction ID: 7b1e6de750f9fb0f953e8c6742ce2964aef5df632fa5acdad0d655a83e8a984e
Opcode Fuzzy Hash: 0a1ee703c9f6c6cd9522429e7abf1e7fd968c1f66fe1a50610399dca9d061c00
Instruction Fuzzy Hash: EC232C71A0CA8295E720BF65D8803ED2361FB4578CF605136DA4DC7A99DFBEE249CB40

Function 00007FF642161C00 Relevance: 108.9, APIs: 51, Strings: 10, Instructions: 2131COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF642199350: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219937D
Part of subcall function 00007FF642199350: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219938B

FilterConnectCommunicationPort.FLTLIB ref: 00007FF642161C53

Strings

prox.sys, xrefs: 00007FF642162803
SeLoadDriverPrivilege, xrefs: 00007FF6421626BB
lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF64216641D
key_used disappeared, xrefs: 00007FF64216636C
a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length, xrefs: 00007FF6421647B2
global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs, xrefs: 00007FF6421664A8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642161EE7, 00007FF6421657B5, 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
Total CP, xrefs: 00007FF64216346F
145610, xrefs: 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$AllocCommunicationConnectFilterPortProcess
String ID: 145610$SeLoadDriverPrivilege$Total CP$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs$key_used disappeared$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs$prox.sys$stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length
API String ID: 2225638886-153109950
Opcode ID: 46c5eb8db75e555b86b91304e8d49010e0b424edc22671c436a7487e04be387b
Instruction ID: 94077b174db7dba0f2eec4378df8d65ade4c17c6b0108b6c2e036cd201206950
Opcode Fuzzy Hash: 46c5eb8db75e555b86b91304e8d49010e0b424edc22671c436a7487e04be387b
Instruction Fuzzy Hash: 61332B32A0DA8295E720BF25D8807ED23A0FB44788F645136DA4DC7B99DFBEE645C740

Function 00007FF6421654B8 Relevance: 64.3, APIs: 30, Strings: 6, Instructions: 1255
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF642165520

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Part of subcall function 00007FF642199D20: GetLastError.KERNEL32 ref: 00007FF642199D24

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198F0F

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198FFD
Part of subcall function 00007FF642198EF0: SysStringLen.OLEAUT32 ref: 00007FF642199049
Part of subcall function 00007FF642198EF0: GetProcessHeap.KERNEL32 ref: 00007FF642199064
Part of subcall function 00007FF642198EF0: HeapAlloc.KERNEL32 ref: 00007FF642199072
Part of subcall function 00007FF642198EF0: SysFreeString.OLEAUT32 ref: 00007FF64219919B

HeapFree.KERNEL32 ref: 00007FF642166D07

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF64216641D
key_used disappeared, xrefs: 00007FF64216636C
a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs, xrefs: 00007FF6421664A8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421657B5, 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
145610, xrefs: 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$ErrorFree$InfoProcessString$AllocLast
String ID: 145610$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs$key_used disappeared$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 133633711-915087304
Opcode ID: c3eeafcea2793982fd05e86c101eb800588e8e9ef9211cc381196d77aa50fe25
Instruction ID: 5d6030e062f6fccee96ced01f538b746d401f6fbe8ec6518dc94331e66091915
Opcode Fuzzy Hash: c3eeafcea2793982fd05e86c101eb800588e8e9ef9211cc381196d77aa50fe25
Instruction Fuzzy Hash: 5AD25C31A0CA8295EB20BF25D8403ED23A1FB44798F645136CA5DC7B99DFBEE645C740

Function 00007FF6421991C0 Relevance: 47.7, APIs: 22, Strings: 5, Instructions: 497
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNEL32 ref: 00007FF6421991DF
GetProcAddress.KERNEL32 ref: 00007FF6421991F7
FreeLibrary.KERNEL32 ref: 00007FF64219920E
GetErrorInfo.OLEAUT32(?,?,?,?,?,00000000,8007000E,00000000,?,00007FF642199149), ref: 00007FF642199224
GetProcessHeap.KERNEL32(?,?,?,?,?,00000000,8007000E,00000000,?,00007FF642199149), ref: 00007FF6421992FD
HeapFree.KERNEL32(?,?,?,?,?,00000000,8007000E,00000000,?,00007FF642199149), ref: 00007FF64219930B
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219937D
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219938B

Strings

combase.dll, xrefs: 00007FF6421991D0
}0x, xrefs: 00007FF64219990E
Errorcodemessage)HRESULT(, xrefs: 00007FF642199549
RoOriginateError, xrefs: 00007FF6421991ED
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642199328, 00007FF642199506

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$FreeLibraryProcess$AddressAllocErrorInfoLoadProc
String ID: }0x$Errorcodemessage)HRESULT($RoOriginateError$called `Result::unwrap()` on an `Err` value$combase.dll
API String ID: 2127497604-686968424
Opcode ID: 98e497e5f1d13939fe1ff3b75019e8170162513a528eea5f429a0bfdd043751d
Instruction ID: 27bec8629d02dd498e10ac0fc983feaf4072fa1c85dfc3f1648336d53ac8aaa8
Opcode Fuzzy Hash: 98e497e5f1d13939fe1ff3b75019e8170162513a528eea5f429a0bfdd043751d
Instruction Fuzzy Hash: 1C12B062B0CB4282EB24BB15A44077A67A1FF84B98F244135DB4EC3B94DFBEE555CB04

Function 00007FF642199350 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 367
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219937D
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FF642161C1A), ref: 00007FF64219938B
SysFreeString.OLEAUT32 ref: 00007FF642199608
SysStringLen.OLEAUT32 ref: 00007FF642199624

Strings

}0x, xrefs: 00007FF64219990E
Errorcodemessage)HRESULT(, xrefs: 00007FF642199549
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642199328, 00007FF642199506, 00007FF6421999C6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: HeapString$AllocFreeProcess
String ID: }0x$Errorcodemessage)HRESULT($called `Result::unwrap()` on an `Err` value
API String ID: 1311257442-1998358159
Opcode ID: 08d9abb574120299ed493830fccc2140d5510fdd1d51d38867470fc58d23e6a3
Instruction ID: b2396e49de277f33de4b4f8fad5f67c4321d9903905a84dca459fc5d84992f81
Opcode Fuzzy Hash: 08d9abb574120299ed493830fccc2140d5510fdd1d51d38867470fc58d23e6a3
Instruction Fuzzy Hash: 3CE1D572A1CB4282EB24BB15E44036A77A1EB84B98F244135DB8EC3B94DFBED555CB04

Function 00007FF642181A20 Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileInformationByHandle.KERNEL32 ref: 00007FF642181B9E
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF642181BD9
GetLastError.KERNEL32 ref: 00007FF642181C58
CloseHandle.KERNEL32 ref: 00007FF642181C74
FindFirstFileW.KERNEL32 ref: 00007FF642181CA7
FindClose.KERNEL32 ref: 00007FF642181CB6
HeapFree.KERNEL32 ref: 00007FF642181D44

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FileHandle$CloseFindInformation$ErrorFirstFreeHeapLast
String ID:
API String ID: 3677867274-0
Opcode ID: 131d586c77bb8e1225114036c5bfd5ecaa0b2a8adb6f2e2b8d9715770e3c5b16
Instruction ID: ed188c26f04da4153147bd74606d8abef6958d4a621bc2fa24e026ab354512b5
Opcode Fuzzy Hash: 131d586c77bb8e1225114036c5bfd5ecaa0b2a8adb6f2e2b8d9715770e3c5b16
Instruction Fuzzy Hash: A6917132A08B818AE730AF65E8843ED73B1FB44798F204125CF599BB94DFBDA585C740

Function 00007FF642179610 Relevance: 4.6, APIs: 3, Instructions: 66
filenativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteFile.NTDLL ref: 00007FF64217965D
WaitForSingleObject.KERNEL32 ref: 00007FF642179672
RtlNtStatusToDosError.NTDLL ref: 00007FF642179696

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorFileObjectSingleStatusWaitWrite
String ID:
API String ID: 3447438843-0
Opcode ID: 6e6696027312d287b9f6ede1e74dd243036de0615eb17cc7ad88cf2b79c64b66
Instruction ID: 7932a4503c59579852cda4a58f8a824381a27baa2cc5ede97f575c97378d4fa5
Opcode Fuzzy Hash: 6e6696027312d287b9f6ede1e74dd243036de0615eb17cc7ad88cf2b79c64b66
Instruction Fuzzy Hash: 1F214332A1CB8182E710AB25F44035A67A5EBD5354F608235E79DC7BA4EFBDE1888F00

Function 00007FF642164F43 Relevance: 18.1, APIs: 5, Strings: 5, Instructions: 584
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF6421652F8
FilterSendMessage.FLTLIB ref: 00007FF64216538C
GetProcessHeap.KERNEL32 ref: 00007FF642166267
HeapFree.KERNEL32 ref: 00007FF642166275

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF64216641D
a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs, xrefs: 00007FF6421664A8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
145610, xrefs: 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$Free$FilterMessageProcessSend
String ID: 145610$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 3046406728-2085223163
Opcode ID: 3f2ab02d6b7665c73b554632a425a4f815591dd1feceb77e277ad0631b542e62
Instruction ID: 4fe13c57eaa3c3d7f15da39a244b66725b57d1e17c4bc79fa833a7e574946082
Opcode Fuzzy Hash: 3f2ab02d6b7665c73b554632a425a4f815591dd1feceb77e277ad0631b542e62
Instruction Fuzzy Hash: 52620C72A0DA8695E720BF60D8403EE2365FB4474CF604136DA4DC7A99DFBEE649C780

Function 00007FF6421918C0 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockShared.KERNEL32 ref: 00007FF642191976
ReleaseSRWLockShared.KERNEL32 ref: 00007FF6421919E9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF642191E35

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF642191B4B
Box<dyn Any><unnamed>, xrefs: 00007FF642191D33
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642191949, 00007FF642191EEA, 00007FF642191F92
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF642191CCE, 00007FF642191E8F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive
String ID: Box<dyn Any><unnamed>$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 546267457-360994743
Opcode ID: 81dfeab94eec2f96bf98bfde626f658734753c734c5588812ee3a0919804d8c5
Instruction ID: 4142bdb495c84306b99eee8453639a13172629732d1746f25a2b61fad5d79ecd
Opcode Fuzzy Hash: 81dfeab94eec2f96bf98bfde626f658734753c734c5588812ee3a0919804d8c5
Instruction Fuzzy Hash: 87123726A0CB8188EB11EF65D8403A837A4FB5874CF644136EB4DC3B95DFBAE555CB40

Function 00007FF642164DDA Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 541COMMON

Download Yara Rule

APIs

FilterConnectCommunicationPort.FLTLIB ref: 00007FF642164DF8

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF64216641D
a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs, xrefs: 00007FF6421664A8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
145610, xrefs: 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CommunicationConnectFilterHeapPortProcess
String ID: 145610$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$global_key_idle disappearedC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\system.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 3599910821-2085223163
Opcode ID: 65b88fe088880b4e7db76aa20ddc03aefaf02c9b11c1117b7e81dabafe6f8d84
Instruction ID: c6dd244d4a2c3123ab8f262776fb4758b6bf579ae7a58dce581ef5127ab2559a
Opcode Fuzzy Hash: 65b88fe088880b4e7db76aa20ddc03aefaf02c9b11c1117b7e81dabafe6f8d84
Instruction Fuzzy Hash: 1A52EA72A0CA8695E720BF60D8403EE2365FB4574CF604136DA4DC7A99DFBEE649C780

Function 00007FF64217FE30 Relevance: 12.2, APIs: 8, Instructions: 173
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64217A0B0: HeapFree.KERNEL32 ref: 00007FF64217A1D9

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00000027,00000000,00007FF642181AAB), ref: 00007FF642180059
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00000027,00000000,00007FF642181AAB), ref: 00007FF64218006C
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,?,?,00000027,00000000,00007FF642181AAB), ref: 00007FF642180083

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap$CloseErrorHandleLast
String ID:
API String ID: 1415190448-0
Opcode ID: a7f0dbad2ec9ad85bf35a265f88f452913831b2c75793260959fb231b088f851
Instruction ID: aa08fae4c6817215c79f4cf8d76e36c2fe15d04ccd86177bff8b15ba96491459
Opcode Fuzzy Hash: a7f0dbad2ec9ad85bf35a265f88f452913831b2c75793260959fb231b088f851
Instruction Fuzzy Hash: C961806290C64646F761BB21E54037A2B90AB85B9CF350131DF9DC72D5CEFFE8898B10

Function 00007FF6421674F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AddVectoredExceptionHandler.KERNEL32 ref: 00007FF642167511
SetThreadStackGuarantee.KERNELBASE ref: 00007FF64216752B
GetLastError.KERNEL32 ref: 00007FF642167535
HeapFree.KERNEL32 ref: 00007FF6421676C6

Strings

main, xrefs: 00007FF642167544
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642167622, 00007FF64216766A

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorExceptionFreeGuaranteeHandlerHeapLastStackThreadVectored
String ID: called `Result::unwrap()` on an `Err` value$main
API String ID: 1211994890-1038248105
Opcode ID: 9a6b89ae3dcf06dd0bfbf8a5f2641cd9ce85379903b15beb51b794557082b364
Instruction ID: ed7d24d7e622ce766e19848e3b60dbbcbf7ba5aabbe1287e573a24597402a2e0
Opcode Fuzzy Hash: 9a6b89ae3dcf06dd0bfbf8a5f2641cd9ce85379903b15beb51b794557082b364
Instruction Fuzzy Hash: 1C512971E0CA4289FB50BBA0D8803AD2375BB4431CF654139CA4DD7795DFBE914ACB40

Function 00007FF64216577C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 447
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Part of subcall function 00007FF642161480: HeapFree.KERNEL32 ref: 00007FF6421614CC

Part of subcall function 00007FF642199D20: GetLastError.KERNEL32 ref: 00007FF642199D24

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198F0F

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198FFD
Part of subcall function 00007FF642198EF0: SysStringLen.OLEAUT32 ref: 00007FF642199049
Part of subcall function 00007FF642198EF0: GetProcessHeap.KERNEL32 ref: 00007FF642199064
Part of subcall function 00007FF642198EF0: HeapAlloc.KERNEL32 ref: 00007FF642199072
Part of subcall function 00007FF642198EF0: SysFreeString.OLEAUT32 ref: 00007FF64219919B

HeapFree.KERNEL32 ref: 00007FF642166D07

Strings

a Display implementation returned an error unexpectedly, xrefs: 00007FF6421665BB
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421657B5, 00007FF642166590, 00007FF64216662A, 00007FF642166673, 00007FF6421666E1, 00007FF642166998
145610, xrefs: 00007FF642166CC6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$ErrorFree$InfoProcessString$AllocLast
String ID: 145610$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value
API String ID: 133633711-381371676
Opcode ID: f5b106cf2a1308dd29e68abda0936052e3e548c0e50c9b3ad663377f214895bc
Instruction ID: 69677ed94e7ac2baaf3cb7be7d5af5409948182d2b8e90b87e6104bf99234eb9
Opcode Fuzzy Hash: f5b106cf2a1308dd29e68abda0936052e3e548c0e50c9b3ad663377f214895bc
Instruction Fuzzy Hash: 8B32FB76A0CA8695E720BF60D8402EE3360FB4574CF604136DA4DD7A99DFBEE249C780

Function 00007FF64219A1F4 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF64219A208

Part of subcall function 00007FF64219A458: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF64219A47A

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64219A21D
__scrt_release_startup_lock.LIBCMT ref: 00007FF64219A28B

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: e9faee2332b3457ff8982de28b3003911c84832c8064e044ef79c5e00c5d3bc0
Instruction ID: 50c3a683ce641cab1d3a71a045e70f1e6c687c2a277bccbd66f1a7ed923679ee
Opcode Fuzzy Hash: e9faee2332b3457ff8982de28b3003911c84832c8064e044ef79c5e00c5d3bc0
Instruction Fuzzy Hash: C9314C21E0C646C2FA54BB25D4563BA2391AF4578CF744036EB4DC72D7DEAFA829CE01

Function 00007FF642177C10 Relevance: 4.5, APIs: 3, Instructions: 38
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64217A0B0: HeapFree.KERNEL32 ref: 00007FF64217A1D9

GetCurrentThread.KERNEL32 ref: 00007FF642177C6B
SetThreadDescription.KERNELBASE ref: 00007FF642177C7E
HeapFree.KERNEL32 ref: 00007FF642177C92

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeapThread$CurrentDescription
String ID:
API String ID: 2762239883-0
Opcode ID: a98f9c6e6697a82a4b15ead7c47c61c3221afefeacadb6e9cd2eb99eec15f024
Instruction ID: c7b310c749cb117900f4a0c1447f55bf65178160d371b590b78c3149312b327c
Opcode Fuzzy Hash: a98f9c6e6697a82a4b15ead7c47c61c3221afefeacadb6e9cd2eb99eec15f024
Instruction Fuzzy Hash: C0017565A0C94681FA50BB12E5043ADA761EFC9FD8F704132DB0DD3768DEAED5868F00

Function 00007FF6421917C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00007FF6421918AD

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421917ED

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3298025750-2333694755
Opcode ID: 7201e2280700015d82bf009124e593497983b411f3b19c975f01b453e050a7f8
Instruction ID: c5e36f0d1b22f9c5bd178d31189e4f1d2ad38449bbb3c37e32bead7af8b61a3c
Opcode Fuzzy Hash: 7201e2280700015d82bf009124e593497983b411f3b19c975f01b453e050a7f8
Instruction Fuzzy Hash: 9E31C7B6A08F85C9EB14AB65D0401AC7BB0F759B98F684136CF9C837A4CF69C196CB10

Function 00007FF642180820 Relevance: 2.6, APIs: 2, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d8d23534c16888d49047372829197132799ac259f3a3025ea5a725db84141e
Instruction ID: a8583ddd91757110e46d7a73be2425131f554f3fd8b82e06e1fa6819ae4c8941
Opcode Fuzzy Hash: f4d8d23534c16888d49047372829197132799ac259f3a3025ea5a725db84141e
Instruction Fuzzy Hash: C5319E22F1CA49A8F701EBA2A9447AD2770BB557ACF244531DF0C93794CFBDA186CB10

Function 00007FF6421A2528 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6421A2553

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 58fe9d01bc89c1d0c41b0dd22792b8730bb3802ccff8dd231fdc11e37bc72971
Instruction ID: c4fc0998bac141e05d3b4d8d5cd51c8c718046dfc1db04bc71c511760ffcd14d
Opcode Fuzzy Hash: 58fe9d01bc89c1d0c41b0dd22792b8730bb3802ccff8dd231fdc11e37bc72971
Instruction Fuzzy Hash: CB116A72A1C64282F310BF25A4601B963A4FF84748F660535E78DC7692EFBEE8158F40

Function 00007FF642180940 Relevance: 1.3, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF64218095A

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7b4fe7b788bcb3605861fe087f68e93ee33eb30ee68045489da57a07c4924fb4
Instruction ID: e3859b3ae5cb6cf7be6cfc506d254b73e1e1b767dec95a736a5f049768be9b29
Opcode Fuzzy Hash: 7b4fe7b788bcb3605861fe087f68e93ee33eb30ee68045489da57a07c4924fb4
Instruction Fuzzy Hash: ECF06D23F1CA0945FA12BB55A8853785260AB44BECF140432CF0CD3794CEBEE0C68610

Function 00007FF6421A02C4 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF64219FC5E,?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF6421A0319

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b8e3dd6c845d3c96298b05e338b2734fe6e0b663cf81a541b70429510d951669
Instruction ID: 2dc949ca1fe2d3a97a6192f00d4e8ed2ab326e331f7f5fede62ea65b294365d0
Opcode Fuzzy Hash: b8e3dd6c845d3c96298b05e338b2734fe6e0b663cf81a541b70429510d951669
Instruction Fuzzy Hash: 8BF06244B0D60386FF547A6295503B642801F98B88F6C5431CF0DC73D1EEAEE488C911

Function 00007FF6421808B4 Relevance: 1.3, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF64218095A

Part of subcall function 00007FF642179610: NtWriteFile.NTDLL ref: 00007FF64217965D
Part of subcall function 00007FF642179610: WaitForSingleObject.KERNEL32 ref: 00007FF642179672

CloseHandle.KERNEL32 ref: 00007FF6421809AD

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FileObjectSingleWaitWrite
String ID:
API String ID: 1197516534-0
Opcode ID: 6a76c7b5fb9db5445bf12b57375e8c9cd81899525f051759071d190849ecf108
Instruction ID: 64f9054aa8bb4cc02d2bc17fc41c6a2c0e68903f1294af4557a3cfcf8310a522
Opcode Fuzzy Hash: 6a76c7b5fb9db5445bf12b57375e8c9cd81899525f051759071d190849ecf108
Instruction Fuzzy Hash: B8F04923F18A0485FB02BB65E9813792260BB44BACF140536DF0DC3795CFB9A186C610

Non-executed Functions

Function 00007FF6421830B5 Relevance: 113.9, APIs: 59, Strings: 5, Instructions: 1864memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642183224

Strings

]?\\, xrefs: 00007FF6421840CB
.exeprogram not found, xrefs: 00007FF64218432E
PATHRUST_MIN_STACKfatal runtime error: assertion failed: thread_info.stack_guard.get().is_none() && thread_info.thread.get().is_none(), xrefs: 00007FF6421858AA
\?\\, xrefs: 00007FF6421840C3
internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF642186F9E, 00007FF64218702F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID: .exeprogram not found$PATHRUST_MIN_STACKfatal runtime error: assertion failed: thread_info.stack_guard.get().is_none() && thread_info.thread.get().is_none()$\?\\$]?\\$internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 3298025750-2542956801
Opcode ID: 69dbbc9a06151c27e25d63da7a012765fd4adfceb4b767906ac0218de55de25d
Instruction ID: c01a8c363671f8f295ee4e3545516a096dde03ff0772593a9bdce39f01ff594d
Opcode Fuzzy Hash: 69dbbc9a06151c27e25d63da7a012765fd4adfceb4b767906ac0218de55de25d
Instruction Fuzzy Hash: D6135062A0CAC188E770AF21DC903F927A1FB4578DF644135CB4DDBB99DFBA96458B00

Function 00007FF6421963E0 Relevance: 71.6, APIs: 47, Instructions: 1131memorynativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007FF64219649F
ReadProcessMemory.KERNEL32 ref: 00007FF6421964DB
ReadProcessMemory.KERNEL32 ref: 00007FF64219650A
HeapFree.KERNEL32 ref: 00007FF6421965E0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Process$MemoryRead$FreeHeapInformationQuery
String ID:
API String ID: 2913393175-0
Opcode ID: e9d243cf93951d3e7faef81c730f9fff8a640867268e7d641ee9fd4fabe15be4
Instruction ID: 64f7d0d1c5a5b4ddb2bd7f8bb5d15cacd5532f171c407af8e3a2f9aea63bf184
Opcode Fuzzy Hash: e9d243cf93951d3e7faef81c730f9fff8a640867268e7d641ee9fd4fabe15be4
Instruction Fuzzy Hash: 72C26062A0CBC2C1E764BB26A4403AA67A0FF45B88F644135DB9DC3794DFBEE455CB10

Function 00007FF64218F6D0 Relevance: 53.0, APIs: 23, Strings: 7, Instructions: 481libraryloadermemoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF64218F7DA
GetCurrentDirectoryW.KERNEL32 ref: 00007FF64218F7E6
GetLastError.KERNEL32 ref: 00007FF64218F7F2
GetLastError.KERNEL32 ref: 00007FF64218F80C
HeapFree.KERNEL32 ref: 00007FF64218F888
RtlCaptureContext.NTDLL ref: 00007FF64218F9B7
RtlLookupFunctionEntry.NTDLL ref: 00007FF64218FA05
GetCurrentProcessId.KERNEL32 ref: 00007FF64218FAF7
CreateMutexA.KERNEL32 ref: 00007FF64218FBA9
CloseHandle.KERNEL32 ref: 00007FF64218FBD1
WaitForSingleObjectEx.KERNEL32 ref: 00007FF64218FBEF
LoadLibraryA.KERNEL32 ref: 00007FF64218FC08
GetProcAddress.KERNEL32 ref: 00007FF64218FC41
GetProcAddress.KERNEL32 ref: 00007FF64218FC78
GetProcAddress.KERNEL32 ref: 00007FF64218FCAF
GetCurrentProcess.KERNEL32 ref: 00007FF64218FCC8
GetProcAddress.KERNEL32 ref: 00007FF64218FD0F
ReleaseMutex.KERNEL32 ref: 00007FF64218FD66
HeapFree.KERNEL32 ref: 00007FF64218FE77
GetLastError.KERNEL32 ref: 00007FF64218FE93

Strings

SymSetOptions, xrefs: 00007FF64218FC71
SymInitializeW, xrefs: 00007FF64218FCA8
SymAddrIncludeInlineTrace, xrefs: 00007FF64218FD08
internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF64218FF5B
SymGetOptions, xrefs: 00007FF64218FC3A
dbghelp.dll, xrefs: 00007FF64218FC01
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64218F911, 00007FF64218FEE3

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressErrorLastProc$Current$FreeHeapMutexProcess$CaptureCloseContextCreateDirectoryEntryFunctionHandleLibraryLoadLookupObjectReleaseSingleWait
String ID: SymAddrIncludeInlineTrace$SymGetOptions$SymInitializeW$SymSetOptions$called `Result::unwrap()` on an `Err` value$dbghelp.dll$internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 2343345281-2399127840
Opcode ID: d6b844103cd9f449027a4133aa8275687497e50c8e799564a43332bc9e41834d
Instruction ID: f61c83280be36dd2a4adb423173ae6e58f0aede7cc6a01b482498f51a1b78a6f
Opcode Fuzzy Hash: d6b844103cd9f449027a4133aa8275687497e50c8e799564a43332bc9e41834d
Instruction Fuzzy Hash: C2322C22A09EC288E771AF25DC403EA27A0FB4575DF644135CA4DC7795EFBA9645CB00

Function 00007FF64218A4B0 Relevance: 37.3, APIs: 20, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF64218D9D7, 00007FF64218DF02

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 0-4032025951
Opcode ID: 05472ade864a3d7f6dee9db3e666f7149231404a873a8ba34d1dca8e243bcee6
Instruction ID: d145d86f68f9877a091c0c905961e0626effa3fc8d359ce9da91e355e300d55b
Opcode Fuzzy Hash: 05472ade864a3d7f6dee9db3e666f7149231404a873a8ba34d1dca8e243bcee6
Instruction Fuzzy Hash: BB426962A0CBC285E761BF21D8847E923A5FB04B9CF644136CB5CDB794DFBA9685C700

Function 00007FF64217D870 Relevance: 33.9, APIs: 9, Strings: 10, Instructions: 684libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF64217D8D9
GetCurrentProcess.KERNEL32 ref: 00007FF64217D8F2
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 00007FF64217DE5A
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?), ref: 00007FF64217DE93
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?), ref: 00007FF64217DEE0

Strings

SymFromAddrW, xrefs: 00007FF64217D8D2
SymQueryInlineTrace, xrefs: 00007FF64217DED9
SymGetLineFromInlineContextW, xrefs: 00007FF64217E3DA
SymGetLineFromAddrW64, xrefs: 00007FF64217DC85
X, xrefs: 00007FF64217E009
(, xrefs: 00007FF64217E3B9
SymAddrIncludeInlineTrace, xrefs: 00007FF64217DE8C
(, xrefs: 00007FF64217DC6A
X, xrefs: 00007FF64217D8B4
SymFromInlineContextW, xrefs: 00007FF64217E027

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: ($($SymAddrIncludeInlineTrace$SymFromAddrW$SymFromInlineContextW$SymGetLineFromAddrW64$SymGetLineFromInlineContextW$SymQueryInlineTrace$X$X
API String ID: 2190909847-3202392857
Opcode ID: 243d776034013141ea8f45342857c8998eda0f599b91f83979ff7a201731be2a
Instruction ID: c0908673b75cfb52f026dedd0ac3cb0cbb82655c2bf277a31668bdd3f9fcdcc4
Opcode Fuzzy Hash: 243d776034013141ea8f45342857c8998eda0f599b91f83979ff7a201731be2a
Instruction Fuzzy Hash: E9629D21A0CAC681E766BB14E4453FA67A0FBC4798F204136EB89C3794EFBED545CB40

Function 00007FF642192880 Relevance: 26.8, APIs: 12, Strings: 3, Instructions: 529memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF6421928CA
HeapFree.KERNEL32 ref: 00007FF642192B1F
HeapFree.KERNEL32 ref: 00007FF642192B39
HeapFree.KERNEL32 ref: 00007FF642192CA3

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Strings

0, xrefs: 00007FF6421929D6
unknownARM x64C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\cpu.rs, xrefs: 00007FF642192C57
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642193F21

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$Free$InfoProcessSystem
String ID: 0$called `Result::unwrap()` on an `Err` value$unknownARM x64C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\cpu.rs
API String ID: 3043813636-518316965
Opcode ID: 04ad6df6f7dcb11f5da510ae24e900c09e69ae279736cdda98a8d3d642827188
Instruction ID: 40020a82c798fe0e78dda023f61fd56fcb22f964fb89c992a63ca0b7491cf98d
Opcode Fuzzy Hash: 04ad6df6f7dcb11f5da510ae24e900c09e69ae279736cdda98a8d3d642827188
Instruction Fuzzy Hash: 9832A121A0CBC181E760BB15A4443BAA7A1FF88788F644135DB8DC77A5DFBEE595CB00

Function 00007FF642180090 Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 455COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6421802A7
GetFullPathNameW.KERNEL32 ref: 00007FF6421802C0
GetLastError.KERNEL32 ref: 00007FF6421802CC
GetLastError.KERNEL32 ref: 00007FF6421802E6

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF64218072F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421803C0, 00007FF642180452, 00007FF642180466
\\?\\\?\UNC\, xrefs: 00007FF6421803A3, 00007FF642180403

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\$called `Result::unwrap()` on an `Err` value$internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 2482867836-3315185550
Opcode ID: a6eae6b535bd449e38227622cce01ce4aff8c2edc6ba97dd28d84f664c5b5455
Instruction ID: 10912355215c731aa691739b195ddb484d02057441993fa1a0bbf18023d50b9a
Opcode Fuzzy Hash: a6eae6b535bd449e38227622cce01ce4aff8c2edc6ba97dd28d84f664c5b5455
Instruction Fuzzy Hash: 2712D062A0CB8A85E770BF1198843F923A5FB04B9CF614036CB5DC7794CFBAD6858760

Function 00007FF64218BB80 Relevance: 18.5, APIs: 12, Instructions: 504memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF64218BBE0
BCryptGenRandom.BCRYPT ref: 00007FF64218BC1D
HeapFree.KERNEL32 ref: 00007FF64218BCF0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CryptCurrentFreeHeapProcessRandom
String ID:
API String ID: 1323412823-0
Opcode ID: f3fb4a6efcd70b2634ac480b40fc310e37437d5a4da0368c7cc17890ca0c74ed
Instruction ID: 09b4cf9faa5c7fdb0258ac45bc9d15ce9012fc24377f005a648ec7ef08b9de55
Opcode Fuzzy Hash: f3fb4a6efcd70b2634ac480b40fc310e37437d5a4da0368c7cc17890ca0c74ed
Instruction Fuzzy Hash: D4229132A0CAD189E764AF25D8403EA2BA0FB4479CF244235DB5DC7BD9DFBAD5498700

Function 00007FF64218B5B0 Relevance: 13.8, APIs: 9, Instructions: 264memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000002,?,?,?,?,00007FF642186993), ref: 00007FF64218B5F7
HeapReAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000002,?,?,?,?,00007FF642186993), ref: 00007FF64218B67A
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218B9AB

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000002,?,?,?,?,00007FF642186993), ref: 00007FF64218B6A6
InitializeProcThreadAttributeList.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000002,?,?,?,?,00007FF642186993), ref: 00007FF64218B6BE
UpdateProcThreadAttribute.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000002,?,?,?,?,00007FF642186993), ref: 00007FF64218B72A

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$AttributeProcThread$FreeInitializeList$AllocProcessUpdate
String ID:
API String ID: 2216397699-0
Opcode ID: e7905442ef40a86482efce3f2cfaba0b2dc89279905c95cb6bbeb1a5ef79aab9
Instruction ID: 3784533030beb8108b465552543cc85d6c46be9dd2c76183519f00f31bcc5132
Opcode Fuzzy Hash: e7905442ef40a86482efce3f2cfaba0b2dc89279905c95cb6bbeb1a5ef79aab9
Instruction Fuzzy Hash: ABA1C762E1DA5181EB147B169880BB923A0BF49BACF744231DF6DC73D0DE7EE1468B00

Function 00007FF64217ACC0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 378windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF64217AD23
FormatMessageW.KERNEL32 ref: 00007FF64217AD6A

Strings

NTDLL.DLL, xrefs: 00007FF64217AD1C
assertion failed: self.is_char_boundary(new_len)/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\alloc\src\string.rs, xrefs: 00007FF64217B2FC

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FormatHandleMessageModule
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\alloc\src\string.rs
API String ID: 2046974992-908490256
Opcode ID: 980187b29f222008639c132e09c1e5e011a18efb8b8c27df43949b506cd94c6f
Instruction ID: 244965186530f4da76a945c22a9ba79b29b50d4f0d7afc05af0f21571a6a92fa
Opcode Fuzzy Hash: 980187b29f222008639c132e09c1e5e011a18efb8b8c27df43949b506cd94c6f
Instruction Fuzzy Hash: 9EF18022A0DAC249E731BF25D804BFD2660FB8479CF544136DB8DCBB98DFB992859700

Function 00007FF642198450 Relevance: 11.0, APIs: 7, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1117908b30af910fa354c5afa37b13eaffa65144e276ff698f216482155e12
Instruction ID: 721b1b5a0cb9121399ad87f99b45d67a26e3af7962abd3bf12711a7d55ca0ed9
Opcode Fuzzy Hash: dc1117908b30af910fa354c5afa37b13eaffa65144e276ff698f216482155e12
Instruction Fuzzy Hash: 2C12E262A1CB8185E760BB25A40037AA7A0FB84BD8F254236DF8ED7794DFBDD455CB00

Function 00007FF64219A790 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF64219A7AC
RtlCaptureContext.NTDLL ref: 00007FF64219A7D9
RtlLookupFunctionEntry.NTDLL ref: 00007FF64219A7F3
RtlVirtualUnwind.NTDLL ref: 00007FF64219A834
IsDebuggerPresent.KERNEL32 ref: 00007FF64219A888
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64219A8A9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64219A8B4

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 743d7e6e6fa98b6cccb623df80daaa8ae3b06a8d5d668ebac542380efbae9884
Instruction ID: 5bfca10035d78df4a66be25281b7d88628a720407d83ad4a1027d77eb085f85e
Opcode Fuzzy Hash: 743d7e6e6fa98b6cccb623df80daaa8ae3b06a8d5d668ebac542380efbae9884
Instruction Fuzzy Hash: 80316F72608B8189EB64AF60E8503EE7360FB84748F54443ADB4DC7A94DFB9D64CCB10

Function 00007FF6421A97B0 Relevance: 9.6, APIs: 6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66494ca9b243dc1705976b68b96848ef2e3cd415046dbffdd71f16e5fecea5cc
Instruction ID: a0c5fb5c7513c51618715616a3a2e183f2941574768c3e716f653a2493f46839
Opcode Fuzzy Hash: 66494ca9b243dc1705976b68b96848ef2e3cd415046dbffdd71f16e5fecea5cc
Instruction Fuzzy Hash: AF42C772A0DA8581EB64BB55D1403B963A1FB48798F248136CF9DC7394DFBEE489CB40

Function 00007FF642163C3B Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length, xrefs: 00007FF6421647B2

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: InfoSystem
String ID: stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length
API String ID: 31276548-3145101877
Opcode ID: 457e897808cf76c46725366a11ac404015ebf01944043c86ab7d185b97d42b68
Instruction ID: 29104715bb37c6d33a2af24dc1755e3dfc67e544b143be7c4fb94bab3ca2325d
Opcode Fuzzy Hash: 457e897808cf76c46725366a11ac404015ebf01944043c86ab7d185b97d42b68
Instruction Fuzzy Hash: C4528D36A0DBC185E731AF29D8407EC63A4FB55B88F545236CB4C9BB95EF79A680C340

Function 00007FF64219FE9C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF64219FF15
RtlLookupFunctionEntry.NTDLL ref: 00007FF64219FF2D
RtlVirtualUnwind.NTDLL ref: 00007FF64219FF68
IsDebuggerPresent.KERNEL32 ref: 00007FF64219FFA1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64219FFAB
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64219FFB6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 2b3865fb88aacf5ea44c591d7fce5a17684136ff4545db75505cd226e3b7d946
Instruction ID: 5bff38b332f33c53443aaedb7f240a619094542974370e3cb34180fe83c50e6d
Opcode Fuzzy Hash: 2b3865fb88aacf5ea44c591d7fce5a17684136ff4545db75505cd226e3b7d946
Instruction Fuzzy Hash: 75317F36608F8195D760EF25E8402AE33A4FB85758F600136EB9DC3B98DFB9D559CB00

Function 00007FF642188720 Relevance: 8.5, APIs: 3, Strings: 2, Instructions: 968memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF642189DF0: CompareStringOrdinal.KERNEL32 ref: 00007FF642189E6F

HeapFree.KERNEL32 ref: 00007FF642188914
HeapFree.KERNEL32 ref: 00007FF642188934
HeapFree.KERNEL32(?,?,?,?,?), ref: 00007FF642189A16

Strings

assertion failed: idx < CAPACITY/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\alloc\src\collections\btree\node.rsassertion failed: edge.height == self.height - 1, xrefs: 00007FF6421899B2
assertion failed: edge.height == self.node.height - 1, xrefs: 00007FF642189845

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap$CompareOrdinalString
String ID: assertion failed: edge.height == self.node.height - 1$assertion failed: idx < CAPACITY/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\alloc\src\collections\btree\node.rsassertion failed: edge.height == self.height - 1
API String ID: 3984308579-1420224799
Opcode ID: 8a4a9184571c56d5fbdeeed28bac1d6b598962224e41b7f47917af0494116bf4
Instruction ID: 98a0cae19cb818cf61f0b1fd88303af59a5912779238049022ff931a8ddfd32d
Opcode Fuzzy Hash: 8a4a9184571c56d5fbdeeed28bac1d6b598962224e41b7f47917af0494116bf4
Instruction Fuzzy Hash: C5B2C032908BC585E722AF28D8453E973B4FB5878CF159222DF8C97765EF79A295C300

Function 00007FF6421AC2C0 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 602COMMON

Download Yara Rule

Strings

arenegyl, xrefs: 00007FF6421AC6E1
setybdet, xrefs: 00007FF6421AC6F3
uespemos, xrefs: 00007FF6421AC6B3
modnarod, xrefs: 00007FF6421AC6CA

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 4b29c4a4507581d7e1da77fe464455ce379ef3a92620cb91d273da63a6f9e15b
Instruction ID: c1545e6b05180d07336f7153acc17a5e4aab070f7172babc241ac0726ab032bf
Opcode Fuzzy Hash: 4b29c4a4507581d7e1da77fe464455ce379ef3a92620cb91d273da63a6f9e15b
Instruction Fuzzy Hash: 8C228762F18BD542EB10AF69A0016BA6760EB85BA8F509731DF6E937C4DFBDC645C200

Function 00007FF6421AB2D0 Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 567COMMON

Download Yara Rule

Strings

arenegyl, xrefs: 00007FF6421AB71D
modnarod, xrefs: 00007FF6421AB70B
setybdet, xrefs: 00007FF6421AB753
uespemos, xrefs: 00007FF6421AB6F9

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 59d114cbb7cf3425f7ca0be32757e0dd253bab9e5344c840892f3e5284e7499f
Instruction ID: a249c202abdcfc5a2c541127104368552a191fabd4f30b89dfe9b8181fc551db
Opcode Fuzzy Hash: 59d114cbb7cf3425f7ca0be32757e0dd253bab9e5344c840892f3e5284e7499f
Instruction Fuzzy Hash: 93322863E0CBC482E701AB2895117B96320FBA5B98F18A331DFAD57692DF79D2D5C300

Function 00007FF642197A50 Relevance: 6.1, APIs: 4, Instructions: 93memorynativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007FF642197A7A
NtQueryInformationProcess.NTDLL ref: 00007FF642197B05
HeapFree.KERNEL32 ref: 00007FF642197B2E

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198F0F

HeapFree.KERNEL32 ref: 00007FF642197B42

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeapInformationProcessQuery$ErrorInfo
String ID:
API String ID: 2435025923-0
Opcode ID: aefaae2991cdcca937f8805b98e610eb725170b33302470b404fb9bf8290d560
Instruction ID: 97510311662edf156a3bcf5350a93218da28082f0e5a8b9ed8396e40a67a584b
Opcode Fuzzy Hash: aefaae2991cdcca937f8805b98e610eb725170b33302470b404fb9bf8290d560
Instruction Fuzzy Hash: A131D7A1B0DA4281FB25BB16E81472E6351AF84BC8F644034DF4EC7794DEBEE555CB00

Function 00007FF642176970 Relevance: 5.9, Strings: 4, Instructions: 851COMMON

Download Yara Rule

Strings

SizeLimitExhausted, xrefs: 00007FF64217774C
)HRESULT(, xrefs: 00007FF64217730C
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421775CC
,(><&*@, xrefs: 00007FF642177129

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: )HRESULT($,(><&*@$SizeLimitExhausted$called `Result::unwrap()` on an `Err` value
API String ID: 0-3539436319
Opcode ID: 9d23b0ab8449dc5eef79854cf9a7370b06aca92b7b83ff3c7003b7b3df87a5a2
Instruction ID: 1dd2092454327e6e46eebd93bde1bb56833f8139c2c43dbdc856f796da37b061
Opcode Fuzzy Hash: 9d23b0ab8449dc5eef79854cf9a7370b06aca92b7b83ff3c7003b7b3df87a5a2
Instruction Fuzzy Hash: 0A726422A2C69241EA34BB24E404A792B51ABC679CF744171EB5EC77D4DEBFE542CF00

Function 00007FF642193210 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 374timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(00000000), ref: 00007FF642193470
GetLastError.KERNEL32 ref: 00007FF64219347A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642193F21

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLastProcessTimes
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 57209380-2333694755
Opcode ID: 1f5220393dd00f8cc6cd36fd9c17d4f072205a961cd2a5d215843e3d7edae8a9
Instruction ID: 8e530f87f85273b37fdb4a4193c27e736f9f7e1bcc477afd015d4b390612f361
Opcode Fuzzy Hash: 1f5220393dd00f8cc6cd36fd9c17d4f072205a961cd2a5d215843e3d7edae8a9
Instruction Fuzzy Hash: 0E128132A1DBC581E761AB15E4443AEB7A0FB85788F608235DB8C83B69DF7DD195CB00

Function 00007FF642198D60 Relevance: 5.1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

Strings

setybdet, xrefs: 00007FF642198D8C
arenegyl, xrefs: 00007FF642198D7F
modnarod, xrefs: 00007FF642198D72
uespemos, xrefs: 00007FF642198D65

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 091a6ccc470660735186cab2d3ba8baf3d4db2c4787f97b06491e137317c6e4c
Instruction ID: 071927799b550ac06fd3d263d9e437f30218d7cdcd7c9ff600e1d6459755fb36
Opcode Fuzzy Hash: 091a6ccc470660735186cab2d3ba8baf3d4db2c4787f97b06491e137317c6e4c
Instruction Fuzzy Hash: D73128E6B08F8042FE50E7E5787636BA262A3457C0F40E136EE4D9770ADF3DD2528644

Function 00007FF642194140 Relevance: 5.1, Strings: 4, Instructions: 91COMMON

Download Yara Rule

Strings

modnarod, xrefs: 00007FF642194151
uespemos, xrefs: 00007FF642194144
setybdet, xrefs: 00007FF64219416B
arenegyl, xrefs: 00007FF64219415E

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: arenegyl$modnarod$setybdet$uespemos
API String ID: 0-66988881
Opcode ID: 215142dcae602d2f3ea4f96f8ee62933ef056d2c9625af10d25925b5ae7517e8
Instruction ID: af2b18209a4f0f5b8f3b4e59e55d5ee570df1f6b6091f39cf244ff22b03fff3f
Opcode Fuzzy Hash: 215142dcae602d2f3ea4f96f8ee62933ef056d2c9625af10d25925b5ae7517e8
Instruction Fuzzy Hash: 5921B8E5B58F8042FE80E7D5787636BA262A3457C0F50E036EE4D9770ADF3DD1518644

Function 00007FF64216B910 Relevance: 4.8, APIs: 2, Strings: 1, Instructions: 273memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6421A93C8), ref: 00007FF64216B9DD
HeapFree.KERNEL32 ref: 00007FF64216BAED

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64216BA11, 00007FF64216BD1F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3298025750-2333694755
Opcode ID: 6e4937fee7c7a55aa6301b56376344d1ec6df4137dbaf70a1476a3a2625a15d3
Instruction ID: ff86766375b8c737183aafa955ef50dfad064ac684e22580fb1ca218a1121f25
Opcode Fuzzy Hash: 6e4937fee7c7a55aa6301b56376344d1ec6df4137dbaf70a1476a3a2625a15d3
Instruction Fuzzy Hash: D8B13562A1CA8582E720AB19E4407F96361FB947A8F505331DF9D937D4DF7ED282CB00

Function 00007FF642197CD1 Relevance: 4.6, APIs: 3, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642197D5C
HeapFree.KERNEL32 ref: 00007FF642197E10
RtlGetVersion.NTDLL ref: 00007FF642197E86

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap$Version
String ID:
API String ID: 1840724253-0
Opcode ID: a72f4c9e079ac8a3ce135bd6d862b880c031928838592dab96eef995c5568dfc
Instruction ID: a5a1a187f48220230cfaf56af0132eff9043fa86368627d2b1226e0b3d1de086
Opcode Fuzzy Hash: a72f4c9e079ac8a3ce135bd6d862b880c031928838592dab96eef995c5568dfc
Instruction Fuzzy Hash: 2E4132B5A0D64282FA24BB12A5503BA63D0AF44BC8F644075CB4EC77D1DEBFE512CE00

Function 00007FF642170090 Relevance: 3.3, APIs: 2, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4daed141aaf80f77204560b4c978669ef312012ad47e0df97da8f5effd88428e
Instruction ID: 0a676425c527182b5dd4e90872238e72775ab14ea519d9d4e3c436c20ef13612
Opcode Fuzzy Hash: 4daed141aaf80f77204560b4c978669ef312012ad47e0df97da8f5effd88428e
Instruction Fuzzy Hash: D702E923918BD081E3519F20E9543FB3360F7A9B4CF1A6238DF894A299DFBA91D58750

Function 00007FF6421A7EA8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6421A80F7
RaiseException.KERNEL32 ref: 00007FF6421A8108

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 6d2e215f2959516b1cd13a85171f3894bb8fe4bb0b357a9f0567bd10e4720504
Instruction ID: 9820636f9bfe9954b2c01c2e190840f30597c05df82f1315af74106289f58eb3
Opcode Fuzzy Hash: 6d2e215f2959516b1cd13a85171f3894bb8fe4bb0b357a9f0567bd10e4720504
Instruction Fuzzy Hash: 24B13973608B898AEB15EF29C8463687BA0F744B4CF258921DB6DC37A4CF7AD455CB00

Function 00007FF64216CC20 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

arenegyl, xrefs: 00007FF64216CC8D
setybdet, xrefs: 00007FF64216CC83

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: HeapProcess
String ID: arenegyl$setybdet
API String ID: 54951025-2199462733
Opcode ID: 4d3aca2e3e5b4ee9a23cf643c6e151bb07011e25286dd1cac9bd308edabbd955
Instruction ID: 3f21ca11d2bc1f222800781ab0f819b0d04981867e28d2923a6e53b91d3306a6
Opcode Fuzzy Hash: 4d3aca2e3e5b4ee9a23cf643c6e151bb07011e25286dd1cac9bd308edabbd955
Instruction Fuzzy Hash: 96514823B1869186F294BF69BA503A72A10F348798F8C642AEF5CC7351DE79E7D1C340

Function 00007FF64216ADA0 Relevance: 1.7, Strings: 1, Instructions: 483COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64216B47D

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 0-2333694755
Opcode ID: 5d42bcdef6d1f227f926da1eb309304927c1c2cf1daceb0424439c60706f25c3
Instruction ID: a0e84b87d70808cf99536ad8c6308bc18d19735445b47e6136560afae225f883
Opcode Fuzzy Hash: 5d42bcdef6d1f227f926da1eb309304927c1c2cf1daceb0424439c60706f25c3
Instruction Fuzzy Hash: 4DF14972B1C2A546EB20FB219454FBD6651B710B98F64A231DF5ED3BC0DEBEE6118B00

Function 00007FF642171990 Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

punycode{-}0, xrefs: 00007FF642171EF9

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: punycode{-}0
API String ID: 0-2450133883
Opcode ID: c8977955ea4242d4e23ec754ed3e6dbded2bd98ab22a7f6ee86e15f2f77d98f1
Instruction ID: a53347029c6760be753da1dd0af3baca1836afec3f2093d933e494f585cc56b6
Opcode Fuzzy Hash: c8977955ea4242d4e23ec754ed3e6dbded2bd98ab22a7f6ee86e15f2f77d98f1
Instruction Fuzzy Hash: 44E10262B1C68542EB60FB15E44477A6791ABC97C8F248131DF4DC3B94DEBEE449CB00

Function 00007FF64216381D Relevance: 1.7, APIs: 1, Instructions: 154nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF642192750: BCryptGenRandom.BCRYPT ref: 00007FF64219276F

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Part of subcall function 00007FF642192880: GetSystemInfo.KERNEL32 ref: 00007FF6421928CA

Part of subcall function 00007FF642167B00: HeapFree.KERNEL32 ref: 00007FF642167C95

NtQuerySystemInformation.NTDLL ref: 00007FF642163B2B

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: HeapSystem$CryptFreeInfoInformationProcessQueryRandom
String ID:
API String ID: 3190741376-0
Opcode ID: 8b433a097c9d8a0fb87a35b104813351ee33878ba528f72bb26e3f39f9b1abe1
Instruction ID: ff7c43ed94da88d2d4e2034c241fcb87928895c7bf91f752b4db9e6ed1baff17
Opcode Fuzzy Hash: 8b433a097c9d8a0fb87a35b104813351ee33878ba528f72bb26e3f39f9b1abe1
Instruction Fuzzy Hash: 9B812B35A0DBC189E720AF25D8507E933A1F744B8CF644539DA4C8BB99DFBEA245C740

Function 00007FF6421A08D8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5c48fe83a3557614dec2960ab8c9f2fc8c32384796dce6831cbf8c5ce3dce0
Instruction ID: 35cdfd923c2846cc6c2db400eb9f7502b4b41306cb9cf26f0e7344ef2509af0b
Opcode Fuzzy Hash: 4f5c48fe83a3557614dec2960ab8c9f2fc8c32384796dce6831cbf8c5ce3dce0
Instruction Fuzzy Hash: 6351B722B0C78145F720FB71A8406AE7BA1FB407A8F244135EF5DE7A99DE7DD4458B00

Function 00007FF64217C5B0 Relevance: 1.6, Strings: 1, Instructions: 347COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64217C8E0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 0-2333694755
Opcode ID: dfcd63ef5008ca0bf96eb2a107c1decd82604d056e39117fceebdcb6a985e2af
Instruction ID: 42b9747032010b9ed01450fc822e69da26387be2f7f90225cff3dff232319a67
Opcode Fuzzy Hash: dfcd63ef5008ca0bf96eb2a107c1decd82604d056e39117fceebdcb6a985e2af
Instruction Fuzzy Hash: 66C166A2D0C2D604FB61BA64C4007B96A819FC1769F74A330CB6DD72D0CEFE59819B40

Function 00007FF64218A660 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64218AB07

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 0-2333694755
Opcode ID: 7dbc744744d9732bf11cda3bb09aecea9aa1c271f67fc9baf931d4103ebad9c6
Instruction ID: f95e5f3ea15c8855dd7650ad3ce656c509b45933f62ccbd49e8e122c5d740cd6
Opcode Fuzzy Hash: 7dbc744744d9732bf11cda3bb09aecea9aa1c271f67fc9baf931d4103ebad9c6
Instruction Fuzzy Hash: 40C13462E1CA5243EA257B15D19023A67A1FF41798F20A133DB9FC3BD0EEFEE5419640

Function 00007FF6421637C9 Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

NtQuerySystemInformation.NTDLL ref: 00007FF642163B2B

Part of subcall function 00007FF642198EF0: GetErrorInfo.OLEAUT32 ref: 00007FF642198F0F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorHeapInfoInformationProcessQuerySystem
String ID:
API String ID: 649050420-0
Opcode ID: 4396851a83d91ac7a760ac44cfd8304bc245d5d79059005b4f36a669e9cdb7f9
Instruction ID: 11d58c4672a01d80e43c142887cdf278d49c2698c34ac7c44d55f0b63e5025a1
Opcode Fuzzy Hash: 4396851a83d91ac7a760ac44cfd8304bc245d5d79059005b4f36a669e9cdb7f9
Instruction Fuzzy Hash: 6A213D61B0CB8185FB64BF25C8943BD6292FB44B8CF249439CA4CCB784DFBEA5498750

Function 00007FF642192730 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT ref: 00007FF64219276F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 41c4d9f4940d2327327a6471827489626223dd5be0897d4ca53c7c75248bee79
Instruction ID: 9891984804d9a313d67eda6fa388745d3feb811ce1fbadecede87ee090a69e56
Opcode Fuzzy Hash: 41c4d9f4940d2327327a6471827489626223dd5be0897d4ca53c7c75248bee79
Instruction Fuzzy Hash: E8F0C224B0CAC181DB18A726E4483AA2761FB58B8CF604135DE4CD7720DEAEE196CB00

Function 00007FF642192750 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT ref: 00007FF64219276F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 85d3d87ec3ae9306377e1e579e3dc3a85b1015bbdc692d8c4d3db3c39138e83c
Instruction ID: feb19d562e3e1c6d70b6f6a302a343c2e9c9c1eba54d3c0fd8165b369aa3b980
Opcode Fuzzy Hash: 85d3d87ec3ae9306377e1e579e3dc3a85b1015bbdc692d8c4d3db3c39138e83c
Instruction Fuzzy Hash: 74F0B424A0CAC181E754AB15E44439A27B0BB58B4CF604136DE8CC7760DFBFD196CB01

Function 00007FF64217C190 Relevance: 1.4, APIs: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00007FF64217FAF9), ref: 00007FF64217C44D

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b75cf6c0edaa9305784afdbcaf164495b9bcf48f75dd4daefb6abe6011eed618
Instruction ID: 00cad7618b9de2b324689ca958929badb5335134c01eae15cf0defba4c50a288
Opcode Fuzzy Hash: b75cf6c0edaa9305784afdbcaf164495b9bcf48f75dd4daefb6abe6011eed618
Instruction Fuzzy Hash: FC612152F1D68189FB10B6A9C8413FE2A60AB947ACF244535DF4EC77C6CEBD9285C700

Function 00007FF64217CEF0 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c91037ac65f3e87fb9d337db9926f8c374840e56dd3df8a0e70c67a4d371263
Instruction ID: 99a9543f1753564a2f5da7d6ce5ed22c224e65d34008dddaf19027680fe011c6
Opcode Fuzzy Hash: 5c91037ac65f3e87fb9d337db9926f8c374840e56dd3df8a0e70c67a4d371263
Instruction Fuzzy Hash: D8C11612B1C68A40FA74BA21E6057B95791FFD138CF641033DB8EC3A95DFAEE1468B00

Function 00007FF642168280 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95aefe72aad35b123a19ae71cd3193c3c6eb714e23dc8b29f8ad5407dec6b0a5
Instruction ID: 584a8e39cdd42685330476c32366a70262a45f24b0807835d006fea382a228e8
Opcode Fuzzy Hash: 95aefe72aad35b123a19ae71cd3193c3c6eb714e23dc8b29f8ad5407dec6b0a5
Instruction Fuzzy Hash: A1B1AF96F39BA502E713573C5402BB596005FA77E8A01E322FEE4F2FD5DB59E6438204

Function 00007FF642170920 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a548c245abc118d5624b5f1ee4bb27c9b9989f3ab1d22fd6a178af0f79fd02
Instruction ID: d33e9a6fc2738bde2555f7b21e3d83c1b702278f962fd61dab7334d110922bcf
Opcode Fuzzy Hash: 54a548c245abc118d5624b5f1ee4bb27c9b9989f3ab1d22fd6a178af0f79fd02
Instruction Fuzzy Hash: 8D910912A0CB8581E660BFA4D0005B96750FBC5B9CF681632EB8ED3784CFBEE595C700

Function 00007FF642195D60 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1205c085f52d671d95f1da9ba140c734ff70df25a04b8f0e393dc707d123be9
Instruction ID: 55900d85439539bf36524efcf784fdaa3d4be01da4a45bf98f9588189e0452bb
Opcode Fuzzy Hash: b1205c085f52d671d95f1da9ba140c734ff70df25a04b8f0e393dc707d123be9
Instruction Fuzzy Hash: B1612362A1C28686F760AA69D04037B6EA0F7447D8F644135EB8FD77C9CEBED590DB00

Function 00007FF6421942C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072ec80d1324f5e32eb8a41e145f2cf0a016aa475cf66d7be5ef579617e74e12
Instruction ID: 98214305dcc4eada95050a45a72b11690c7cc937c4e211990aaedc5aa2475e12
Opcode Fuzzy Hash: 072ec80d1324f5e32eb8a41e145f2cf0a016aa475cf66d7be5ef579617e74e12
Instruction Fuzzy Hash: A6412972F4866582FA54EB61F164A793611F390FD4F115132CF1AA3B80CE79D966C780

Function 00007FF64219EF40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 48f4c9434cd95cd0efd539d507531176937577b9bd3d96c335e671109a807226
Instruction ID: 4641710d7f5d7474d0954f9c0ff5d66928b527643df9a0bbd6f301d8698d5f47
Opcode Fuzzy Hash: 48f4c9434cd95cd0efd539d507531176937577b9bd3d96c335e671109a807226
Instruction Fuzzy Hash: 31410866718A9482EF04EF2AD954169B3A2BB48FD8B189037DF0DC7B58DE7DD452C700

Function 00007FF6421A7CF0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485668acbd0f64095f85b8463ccdaa19b6598de98d93daaf4dc60470729e17ef
Instruction ID: 8a978aefaa390f7331085d891e799b795c1e25d4fd53ccad2d3c3429afeb907a
Opcode Fuzzy Hash: 485668acbd0f64095f85b8463ccdaa19b6598de98d93daaf4dc60470729e17ef
Instruction Fuzzy Hash: 15F04F75B1C2958AEBA4AF29A80363977E0F708784F908079D68DC3A14DA7E90619F04

Function 00007FF64219A938 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095a85b91e11b2f9bd9ad45127e04a5bc6233a8dc0752a301b538f28a29222c9
Instruction ID: 8e04e5f90022c081479e09d6e7c24eecce3d0071314b47cf7e12d5827f7e27a8
Opcode Fuzzy Hash: 095a85b91e11b2f9bd9ad45127e04a5bc6233a8dc0752a301b538f28a29222c9
Instruction Fuzzy Hash: 40A0016190DE12D4E608BB00A8500612260AB50B98B614432C24DC24609EFEA498CA00

Function 00007FF64216D470 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF64216D50F
WakeAllConditionVariable.KERNEL32 ref: 00007FF64216D53F
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64216D560
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF64216D5DE
WakeAllConditionVariable.KERNEL32 ref: 00007FF64216D615
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64216D636
HeapFree.KERNEL32 ref: 00007FF64216D6F7
HeapFree.KERNEL32 ref: 00007FF64216D75D

Strings

assertion failed: t.get().eq(&(self as *const _)), xrefs: 00007FF64216D85F
assertion failed: t.get().is_null(), xrefs: 00007FF64216D847
NulErrorUtf8Errorvalid_up_toerror_lenNoneSome, xrefs: 00007FF64216D8A6
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64216D7E0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionFreeHeapReleaseVariableWake
String ID: NulErrorUtf8Errorvalid_up_toerror_lenNoneSome$assertion failed: t.get().eq(&(self as *const _))$assertion failed: t.get().is_null()$called `Result::unwrap()` on an `Err` value
API String ID: 2884296031-2362296343
Opcode ID: a1aa497c344f79415d7402752085712843ed56f430b084941ccd609744533c8c
Instruction ID: 1414c4fdede81878fd434e901866b3acfc4a69269fa2bd34cc8b5b3ff9bd37f8
Opcode Fuzzy Hash: a1aa497c344f79415d7402752085712843ed56f430b084941ccd609744533c8c
Instruction Fuzzy Hash: F3B16C36A0DA8681EB61BB15E4903FD2760EB54B9CFA45132CB5DC33A4DEBED449CB40

Function 00007FF642196210 Relevance: 16.6, APIs: 11, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 00007FF64219626B
GetTokenInformation.ADVAPI32 ref: 00007FF6421962AC
GetLastError.KERNEL32 ref: 00007FF6421962B6
GetProcessHeap.KERNEL32 ref: 00007FF6421962DA
GetLastError.KERNEL32 ref: 00007FF6421962EA
HeapAlloc.KERNEL32 ref: 00007FF642196300
GetTokenInformation.ADVAPI32 ref: 00007FF642196327
GetLastError.KERNEL32 ref: 00007FF6421963A2

Part of subcall function 00007FF642197F10: IsValidSid.ADVAPI32 ref: 00007FF642197F2C
Part of subcall function 00007FF642197F10: GetLengthSid.ADVAPI32 ref: 00007FF642197F39
Part of subcall function 00007FF642197F10: CopySid.ADVAPI32 ref: 00007FF642197F69

HeapFree.KERNEL32 ref: 00007FF642196378
CloseHandle.KERNEL32 ref: 00007FF6421963B3
GetLastError.KERNEL32 ref: 00007FF6421963BD

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLast$HeapToken$InformationProcess$AllocCloseCopyFreeHandleLengthOpenValid
String ID:
API String ID: 9828444-0
Opcode ID: f3411f48fb865e8facba581bcaea052440f6dddb8dbe165539584f630f769040
Instruction ID: 0620bfabbea40c39a1d1befb92bf1493fd252bffce722b497bb1e9fb01845190
Opcode Fuzzy Hash: f3411f48fb865e8facba581bcaea052440f6dddb8dbe165539584f630f769040
Instruction Fuzzy Hash: 41415521A0DA8281FB50BB22A94577A6390FF45B88F244035DF9EC7794DFBEE459CB10

Function 00007FF64217E560 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64217A0B0: HeapFree.KERNEL32 ref: 00007FF64217A1D9

SetLastError.KERNEL32 ref: 00007FF64217E69A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF64217E6AD
GetLastError.KERNEL32 ref: 00007FF64217E6BA
GetLastError.KERNEL32 ref: 00007FF64217E6D4
HeapFree.KERNEL32 ref: 00007FF64217E761
HeapFree.KERNEL32 ref: 00007FF64217E799

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF64217E810

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorFreeHeapLast$EnvironmentVariable
String ID: internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 3632352037-4032025951
Opcode ID: e13e0f180d28a1db871200428a10e16b883d01434fb247a582170e3fe2aa63af
Instruction ID: 49e0abd66318bd6141d976baf3eb7717d7cee38897a0ce2d5b2e6daa344a7bc5
Opcode Fuzzy Hash: e13e0f180d28a1db871200428a10e16b883d01434fb247a582170e3fe2aa63af
Instruction Fuzzy Hash: 1E81AF22A0CAC289E771BF21DC443F863A4AB847ACF244135DF5CDB695DFB9A285C740

Function 00007FF64218ABFD Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 235COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF64218AC12
DuplicateHandle.KERNEL32 ref: 00007FF64218AC3D
GetCurrentProcess.KERNEL32 ref: 00007FF64218AD7E
DuplicateHandle.KERNEL32 ref: 00007FF64218ADA9
GetLastError.KERNEL32 ref: 00007FF64218ADB9
CloseHandle.KERNEL32 ref: 00007FF64218ADF8

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64218B129
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF64218B164
failed to spawn thread, xrefs: 00007FF64218B0E6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Handle$CurrentDuplicateProcess$CloseErrorLast
String ID: called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$failed to spawn thread
API String ID: 120317985-1085459851
Opcode ID: 61db1ca7ff46adb7f9686e8e47a660a19523536785ce4043ba6c77490a5370fb
Instruction ID: 2b6bf02f0ad90fd5f998465854b9c819d3d6899ccd22bda6c9bb54950c04bd6c
Opcode Fuzzy Hash: 61db1ca7ff46adb7f9686e8e47a660a19523536785ce4043ba6c77490a5370fb
Instruction Fuzzy Hash: 62C16A22A0DA8289EB51BB60D8803BD27A0FF4474CF244536EB4DC3795DFBEE5858B40

Function 00007FF642179720 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 202COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,00000000), ref: 00007FF642179798
WriteConsoleW.KERNEL32(?,00000000,00000000,00000000), ref: 00007FF6421797D5
WriteConsoleW.KERNEL32(?,00000000,00000000,00000000), ref: 00007FF642179834
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00007FF64217983E
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00007FF6421798CE

Strings

Utf8Errorvalid_up_toerror_lenNoneSome, xrefs: 00007FF64217999D
}0x, xrefs: 00007FF642179A2F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64217992C

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID: }0x$Utf8Errorvalid_up_toerror_lenNoneSome$called `Result::unwrap()` on an `Err` value
API String ID: 1956605914-2833317390
Opcode ID: 7bd926a656e1dac53ce11b122b43920e1fbceb516ce8416653b7c2c193392836
Instruction ID: 9c779c6747d9d5f19c28ccf15600e8e0f014e89934114afaab3b178d1c8db7d4
Opcode Fuzzy Hash: 7bd926a656e1dac53ce11b122b43920e1fbceb516ce8416653b7c2c193392836
Instruction Fuzzy Hash: 2981A362A1C64286EB20BB11E4403B96761FBC4788F744135DB8DC7BA5DFBED589CB00

Function 00007FF64217F980 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF64217FA7A
GetModuleFileNameW.KERNEL32 ref: 00007FF64217FA88
GetLastError.KERNEL32 ref: 00007FF64217FA94
GetLastError.KERNEL32 ref: 00007FF64217FAAE
HeapFree.KERNEL32 ref: 00007FF64217FB2A
GetLastError.KERNEL32 ref: 00007FF64217FB45
HeapFree.KERNEL32(?,00000000,00000000,?), ref: 00007FF64217FBE6

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF64217FB72

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLast$FreeHeap$FileModuleName
String ID: internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 526635459-4032025951
Opcode ID: 76b46c6751f00fccc60f542933f2e9be16d2ad7bc7fa04832f624375acc5784d
Instruction ID: 0b50261046cf23d8ca7986f70f3bbef32fcdd5043ba5a74fc6465beae1e12fc1
Opcode Fuzzy Hash: 76b46c6751f00fccc60f542933f2e9be16d2ad7bc7fa04832f624375acc5784d
Instruction Fuzzy Hash: 19519022A0CBC259E771BF25EC543EA2254FB84BACF604131DE5DD7690DEFE92898700

Function 00007FF64218CFE0 Relevance: 13.7, APIs: 9, Instructions: 191COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF64218D0BA
GetLastError.KERNEL32 ref: 00007FF64218D100

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 786e7a925a4705530903a43fcf8dcbdb85ea6d2d4e21f71ab40edc598bfac47e
Instruction ID: 72cdd23344cff347e0e303bab18074a499ca0dcef30e3cb4242428966ee2270c
Opcode Fuzzy Hash: 786e7a925a4705530903a43fcf8dcbdb85ea6d2d4e21f71ab40edc598bfac47e
Instruction Fuzzy Hash: F5813E22608BC699E731AF25EC407F92760FB4479CF144136DA9CCBB98CFB99286D740

Function 00007FF64219C6C0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF64219C71D

Part of subcall function 00007FF64219D61C: __GetUnwindTryBlock.LIBCMT ref: 00007FF64219D65F
Part of subcall function 00007FF64219D61C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF64219D684

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF64219C7F5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF64219CA4A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64219CB56

Strings

csm, xrefs: 00007FF64219C737
csm, xrefs: 00007FF64219C79E
csm, xrefs: 00007FF64219C818

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 72ab26a4402c56652830c5fa1d3399aafbf85f533fd71610aa92c533a6f5ca46
Instruction ID: 5d0d0d562f76c596f896deda9e6aef2ec41a54266ebae3a846eb5ee49779347f
Opcode Fuzzy Hash: 72ab26a4402c56652830c5fa1d3399aafbf85f533fd71610aa92c533a6f5ca46
Instruction Fuzzy Hash: F8E14AA2A0C781CAEB20FB6594412AD77A0FB49B9CF240135DB8DD7B55DF79E5A0CB00

Function 00007FF642191AC8 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642191BB8

Strings

<unnamed>, xrefs: 00007FF642191C32
RUST_BACKTRACEfailed to write the buffered data, xrefs: 00007FF642191ACC
lluf, xrefs: 00007FF642191B99
mluf, xrefs: 00007FF642191B90
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF642191CCE

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID: <unnamed>$RUST_BACKTRACEfailed to write the buffered data$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$lluf$mluf
API String ID: 3298025750-386205353
Opcode ID: b8c96b04ffad42163d9c6d3a6d1a143450d8c47edeccfb91b2d6f72a63da962e
Instruction ID: 66fd3b23aefb5c5077f49204e80fab5ad40537ef5eacc92a39162c3f30491f98
Opcode Fuzzy Hash: b8c96b04ffad42163d9c6d3a6d1a143450d8c47edeccfb91b2d6f72a63da962e
Instruction Fuzzy Hash: 30616B36A0DA4288EB61BF65D4503B837A1EB58B8CF244036DB4EC37A4DEAEE555C701

Function 00007FF6421A3294 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF6421A3410
GetProcAddress.KERNEL32 ref: 00007FF6421A341C

Strings

api-ms-, xrefs: 00007FF6421A335A
ext-ms-, xrefs: 00007FF6421A336D

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 6a070d9bb71604036c105590dbace6c5af477c2d24527ad144b48d81c656a169
Instruction ID: 58cd74618f1a7e9eb2d7286d1ea8e4e640682b0442d931417dbd109fb3df935b
Opcode Fuzzy Hash: 6a070d9bb71604036c105590dbace6c5af477c2d24527ad144b48d81c656a169
Instruction Fuzzy Hash: 6841E521B1DA0282FB55FF1698042766391BF85BE8F654536DF0DC7784EEBEE4498B00

Function 00007FF642197F10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32 ref: 00007FF642197F2C
GetLengthSid.ADVAPI32 ref: 00007FF642197F39
CopySid.ADVAPI32 ref: 00007FF642197F69
CopySid.ADVAPI32 ref: 00007FF642197F93
GetLastError.KERNEL32 ref: 00007FF642197FA1

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

GetLastError.KERNEL32 ref: 00007FF642197FBF

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642198011

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CopyErrorLast$HeapLengthProcessValid
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 2147234612-2333694755
Opcode ID: 7043026bc7d90f15722716711432570e87a0e382c47e925f302a8d7343d08212
Instruction ID: b5cb7b0b8f25434a4433645db99c42122a991cfdaba752b6d822cd6ce19ccd87
Opcode Fuzzy Hash: 7043026bc7d90f15722716711432570e87a0e382c47e925f302a8d7343d08212
Instruction Fuzzy Hash: 5F31C771A0DB4285F754BB21A9403BA6291AF49BD8F248134DF4DD7790EEBEE586CB00

Function 00007FF64218CB20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92memorythreadCOMMON

Download Yara Rule

APIs

SetThreadStackGuarantee.KERNEL32 ref: 00007FF64218CB41
GetLastError.KERNEL32 ref: 00007FF64218CB4B
HeapFree.KERNEL32 ref: 00007FF64218CB99
HeapFree.KERNEL32 ref: 00007FF64218CBAB
HeapFree.KERNEL32 ref: 00007FF64218CC5E
HeapFree.KERNEL32 ref: 00007FF64218CC71

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64218CBCD

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap$ErrorGuaranteeLastStackThread
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3680998240-2333694755
Opcode ID: 6a6b5a6c96b756cfa57c6a058bff5de6a9d36b5a0abdc6689987a460b71ba9ef
Instruction ID: 2eae134da2913ed0c316fcd86e70ac29f74c04bde61c417049025d5a06db9fec
Opcode Fuzzy Hash: 6a6b5a6c96b756cfa57c6a058bff5de6a9d36b5a0abdc6689987a460b71ba9ef
Instruction Fuzzy Hash: E2414B32E08E4189E714EB65D8842EC2770FB48B58F648536CB5DD37A4DFB9D58AC740

Function 00007FF642183F7C Relevance: 12.3, APIs: 8, Instructions: 294COMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF642183FDF

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CompareOrdinalString
String ID:
API String ID: 2409332303-0
Opcode ID: f9020d7bf176814af53c865c8d0d8900c9f6b24ebf022bb7cc9cc610dd337ddb
Instruction ID: 9dab4382fd204646e68e6ff5e517d110237072b6541639020e97cff668739e9c
Opcode Fuzzy Hash: f9020d7bf176814af53c865c8d0d8900c9f6b24ebf022bb7cc9cc610dd337ddb
Instruction Fuzzy Hash: 0BE16D66609AC589EB70AF21EC403FA23A5FB4479CF644136CB4DCBB98DF799545CB00

Function 00007FF642197430 Relevance: 12.2, APIs: 8, Instructions: 190timememoryCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32 ref: 00007FF6421974B2
GetLastError.KERNEL32 ref: 00007FF6421974BC
GetSystemTimes.KERNEL32 ref: 00007FF6421974D1
GetLastError.KERNEL32 ref: 00007FF6421974DB
GetProcessIoCounters.KERNEL32 ref: 00007FF642197637
GetProcessMemoryInfo.PSAPI ref: 00007FF6421976AF
GetLastError.KERNEL32 ref: 00007FF6421976D9
GetLastError.KERNEL32 ref: 00007FF6421976E7
GetModuleFileNameExW.PSAPI ref: 00007FF64219775C
HeapFree.KERNEL32 ref: 00007FF6421977A8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorLast$Process$Times$CountersFileFreeHeapInfoMemoryModuleNameSystem
String ID:
API String ID: 3577777124-0
Opcode ID: ee9a7a875680fedd2ec005248d311c7b53517d63ffa6c970e3b80b972fd4fbc4
Instruction ID: 6f66af58489219327e2abf109767a1ff41f0005c19f12be5f177a50fb67c3d74
Opcode Fuzzy Hash: ee9a7a875680fedd2ec005248d311c7b53517d63ffa6c970e3b80b972fd4fbc4
Instruction Fuzzy Hash: 3091C661B0CBC592EB59AB25D5003A9A760FF44B94F248631DB9CC3795EFBDE0A5CB00

Function 00007FF642193F60 Relevance: 11.4, APIs: 9, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642193F82
HeapFree.KERNEL32 ref: 00007FF642193FCC
HeapFree.KERNEL32 ref: 00007FF642193FE4
HeapFree.KERNEL32 ref: 00007FF642194094

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 03e2a55060cdd5a8d773200eafc10e70de68ba70a410870847454a390be6e2b9
Instruction ID: 26c308c97d778e1565fa4dfc3949f49333da5ca80cee051fea7b3ebc2cd5cb44
Opcode Fuzzy Hash: 03e2a55060cdd5a8d773200eafc10e70de68ba70a410870847454a390be6e2b9
Instruction Fuzzy Hash: C0514326A0DA41C2FB64BB16A4403BA6361EF48B98F684035CB4EC7760DFBEF495C701

Function 00007FF64219D95C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF64219DC0E,?,?,?,00007FF64219D900,?,?,00000001,00007FF64219BEF1), ref: 00007FF64219D9E1
GetLastError.KERNEL32(?,?,?,00007FF64219DC0E,?,?,?,00007FF64219D900,?,?,00000001,00007FF64219BEF1), ref: 00007FF64219D9EF
LoadLibraryExW.KERNEL32(?,?,?,00007FF64219DC0E,?,?,?,00007FF64219D900,?,?,00000001,00007FF64219BEF1), ref: 00007FF64219DA19
FreeLibrary.KERNEL32(?,?,?,00007FF64219DC0E,?,?,?,00007FF64219D900,?,?,00000001,00007FF64219BEF1), ref: 00007FF64219DA5F
GetProcAddress.KERNEL32(?,?,?,00007FF64219DC0E,?,?,?,00007FF64219D900,?,?,00000001,00007FF64219BEF1), ref: 00007FF64219DA6B

Strings

api-ms-, xrefs: 00007FF64219DA01

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: c1aa25fe3c16cea60b2a4e569bc7c66438893de353299551f1f2a246b98a77db
Instruction ID: 755a5bd945f01bd9fccedbec7b5aa784035f516802f6f15b28e51efd3e0d0186
Opcode Fuzzy Hash: c1aa25fe3c16cea60b2a4e569bc7c66438893de353299551f1f2a246b98a77db
Instruction Fuzzy Hash: 1A31C421A1EB42D2EE15BF02980057522A4BF44BA8F690535DF2DCB790DEFEE474CB01

Function 00007FF64219FA84 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64219FA93
FlsGetValue.KERNEL32 ref: 00007FF64219FAA8
FlsSetValue.KERNEL32 ref: 00007FF64219FAC9
FlsSetValue.KERNEL32 ref: 00007FF64219FAF6
FlsSetValue.KERNEL32 ref: 00007FF64219FB07
FlsSetValue.KERNEL32 ref: 00007FF64219FB18
SetLastError.KERNEL32 ref: 00007FF64219FB33

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d9f0b9edf18b466510cdc7d3cb3595672746ffb6cd67beaeecbd3545c46b3673
Instruction ID: 7dfcc6af5403e2a65935ba54f41c831ea20596c0d4de971d8033dbffc196ee09
Opcode Fuzzy Hash: d9f0b9edf18b466510cdc7d3cb3595672746ffb6cd67beaeecbd3545c46b3673
Instruction Fuzzy Hash: 2421C224E0D24292FA687725555623951819F447BCF344734DB3EC76D6DEEEA812CE00

Function 00007FF6421A77B4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6421A77E5
GetLastError.KERNEL32 ref: 00007FF6421A77F1
CloseHandle.KERNEL32 ref: 00007FF6421A7809
CreateFileW.KERNEL32 ref: 00007FF6421A7834
WriteConsoleW.KERNEL32 ref: 00007FF6421A7853

Strings

CONOUT$, xrefs: 00007FF6421A7815

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 811d4d14569b1174cae0347234938108d79ecde9c689091188e43e030fa17b8b
Instruction ID: 245208c6aac89ad06ca2aeb4f102c6afa1f4a5ca956a9c12a2c93413c4f5699b
Opcode Fuzzy Hash: 811d4d14569b1174cae0347234938108d79ecde9c689091188e43e030fa17b8b
Instruction Fuzzy Hash: 24118121A1CA4186E750BB12E85433966A0FB88FE8F204234DB5DC7B94DFBDD949CB44

Function 00007FF6421778B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6421778BD
GetProcAddress.KERNEL32 ref: 00007FF6421778D5
GetProcAddress.KERNEL32 ref: 00007FF6421778ED

Strings

WakeByAddressSingle, xrefs: 00007FF6421778E3
WaitOnAddress, xrefs: 00007FF6421778CB
api-ms-win-core-synch-l1-2-0, xrefs: 00007FF6421778B6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 667068680-1826242509
Opcode ID: 80c5ba1dada369da22440cf653c03e5e07a81bf50da2b6e88ff490cc949a36c8
Instruction ID: fa16c2a682b87f9e243fb5d9957e3f55f2b26ab0636087387f2478a358e07ab3
Opcode Fuzzy Hash: 80c5ba1dada369da22440cf653c03e5e07a81bf50da2b6e88ff490cc949a36c8
Instruction Fuzzy Hash: F7F0FE24F0EA4781FE56BB11F9445B422A0AF88B98F644075CA5DC7364EFAFA44ACA00

Function 00007FF64216CE90 Relevance: 10.2, APIs: 8, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216CEF6
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216CF1A
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216CF4F
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216CFA6
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216CFE3
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216D020
HeapFree.KERNEL32(?,?,?,?,00000001,?,?,?,?,00000000,?,00007FF64216C7EB,00000000,?,?,?), ref: 00007FF64216D05C

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dde2b2780bffd6f083ff53ef2705fc4ec5f43627bc733f3318b10d885f49e2b2
Instruction ID: 47dcdd67dd9b78c703ba5a71501d9651799f5122e7c34b3940dcbeadbe2b2289
Opcode Fuzzy Hash: dde2b2780bffd6f083ff53ef2705fc4ec5f43627bc733f3318b10d885f49e2b2
Instruction Fuzzy Hash: D1613F36A0DA8181E755BF2695843BD2761EF49FE8F685132CF1DC7294CFBA94868700

Function 00007FF642198EF0 Relevance: 9.2, APIs: 6, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

GetErrorInfo.OLEAUT32 ref: 00007FF642198F0F
GetErrorInfo.OLEAUT32 ref: 00007FF642198FFD
SysStringLen.OLEAUT32 ref: 00007FF642199049
GetProcessHeap.KERNEL32 ref: 00007FF642199064
HeapAlloc.KERNEL32 ref: 00007FF642199072
SysFreeString.OLEAUT32 ref: 00007FF64219919B

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorHeapInfoString$AllocFreeProcess
String ID:
API String ID: 174895499-0
Opcode ID: 64b14102e1bda2af5313cd71ae6258c473e2ff326e148d4b7002b56503aded5a
Instruction ID: 27ae5b128e75d37a2f921da6e13e3ef04a0f25c7377fa8424723d2baf41bb1d3
Opcode Fuzzy Hash: 64b14102e1bda2af5313cd71ae6258c473e2ff326e148d4b7002b56503aded5a
Instruction Fuzzy Hash: 81716E21B0DB4282EA18BB16855437963A1BF88F98F258135CF5EC7790DFBEE554CB04

Function 00007FF64218D12E Relevance: 9.1, APIs: 6, Instructions: 104fileCOMMON

Download Yara Rule

APIs

WriteFileEx.KERNEL32 ref: 00007FF64218D233
SleepEx.KERNEL32 ref: 00007FF64218D25A
CloseHandle.KERNEL32 ref: 00007FF64218D406
CloseHandle.KERNEL32 ref: 00007FF64218D40F
CloseHandle.KERNEL32 ref: 00007FF64218D4AF
CloseHandle.KERNEL32 ref: 00007FF64218D4B8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FileSleepWrite
String ID:
API String ID: 3423119723-0
Opcode ID: 50f48fa2f1dfff0040be8c6eb8860c5caa61c06629ea0bc5aa9cef88ba84b49f
Instruction ID: 717b9da85ca16521c82e9d332dfc44a03c3baa3beceaec0d3365c5f89017328b
Opcode Fuzzy Hash: 50f48fa2f1dfff0040be8c6eb8860c5caa61c06629ea0bc5aa9cef88ba84b49f
Instruction Fuzzy Hash: 32415B22A08AC688E772BF25EC407F92760FB4479DF544132DE8CC7B98CEB99586D700

Function 00007FF64219FBFC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FC0B
FlsSetValue.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FC41
FlsSetValue.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FC6E
FlsSetValue.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FC7F
FlsSetValue.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FC90
SetLastError.KERNEL32(?,?,?,00007FF64219DFF2,?,?,?,00007FF6421ACBD6), ref: 00007FF64219FCAB

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 64fb91ebe04766192c5c1e30f9cf491a6fb2cacd05c529915a054ae8694d7015
Instruction ID: 00dc5a359669488cfda44bb3eec1f55f545f26e6f9ddc0307f298e5625f3afdd
Opcode Fuzzy Hash: 64fb91ebe04766192c5c1e30f9cf491a6fb2cacd05c529915a054ae8694d7015
Instruction Fuzzy Hash: FA116F24A0D24692FA54B335555253961829F447BCF348634DF2EC77D6DEEEA816CE00

Function 00007FF6421792B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00007FF6421792DF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00007FF6421792F3
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 00007FF64217932E
CloseHandle.KERNEL32(?,?,?,?,?), ref: 00007FF6421795FC

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64217951C, 00007FF64217957E

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Handle$CloseConsoleErrorLastMode
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1170577072-2333694755
Opcode ID: 96d2bc424f8d22cb94cac6148f67ec255ca223446cb51e52ec21167fd4431b53
Instruction ID: 96238e3dba574940734f324b007b8af1cce4df3e7f7dab60f733b225bdd628bc
Opcode Fuzzy Hash: 96d2bc424f8d22cb94cac6148f67ec255ca223446cb51e52ec21167fd4431b53
Instruction Fuzzy Hash: 4FA16B62A0CA9698EB10BB61E9403EC2770BB8535CF644532DF9ED3785DFBDA189C710

Function 00007FF64219BCF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64219BD1B
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF64219BDB0
RtlUnwindEx.NTDLL ref: 00007FF64219BDFF

Strings

csm, xrefs: 00007FF64219BD96
f, xrefs: 00007FF64219BD2E

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: f978b8b4f6eb7debb6680819d40ef3f2cd9f695ec70aafba99f54ddedc104446
Instruction ID: f3e46816aa7125c43053f9c37263cc2b1f30ee5399cc360c6ce9638b5aabd9e2
Opcode Fuzzy Hash: f978b8b4f6eb7debb6680819d40ef3f2cd9f695ec70aafba99f54ddedc104446
Instruction Fuzzy Hash: BC516D32A0D642C6DB14FB15E444B6967A9FB44B8CF718034DB1AC7788DFBAEA51CB40

Function 00007FF6421ABC80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6421ABD3B
SleepConditionVariableSRW.KERNEL32 ref: 00007FF6421ABD94
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF6421ABDC7

Strings

internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs, xrefs: 00007FF6421ABE92
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421ABE70

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseSleepVariable
String ID: called `Result::unwrap()` on an `Err` value$internal error: entered unreachable codeC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\job.rs
API String ID: 1554092898-2323258618
Opcode ID: a23170424d2af1625816afd1274a588a6bd798be682a89b53bb5f1ad0ba3888d
Instruction ID: 976bfb3d9225bb96e60262cbe043320f998b89581b077cae7a232abcb8019671
Opcode Fuzzy Hash: a23170424d2af1625816afd1274a588a6bd798be682a89b53bb5f1ad0ba3888d
Instruction Fuzzy Hash: 9151932290DBC581EB20BB25E5407B96760FB65788F249131DF8DC3766DF7EE1998B00

Function 00007FF642178D70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642178D66), ref: 00007FF642178E0C
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642178D66), ref: 00007FF642178EC3
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF642178D66), ref: 00007FF642178F04
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF642178D66), ref: 00007FF642178F58

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 00007FF642178DED

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireFreeHeap
String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs
API String ID: 2563869513-2303981482
Opcode ID: 5daca773748e2f7817cb8baab1cae2b99ac0e1055b29a0a25c5a3408f8e8635c
Instruction ID: d81e9e9bffb2473f656faddf3cef2e0e10b48de3fc4d1eba176eeb8536bfb59e
Opcode Fuzzy Hash: 5daca773748e2f7817cb8baab1cae2b99ac0e1055b29a0a25c5a3408f8e8635c
Instruction Fuzzy Hash: D1512D35E0CA8285F721FB65E8543B86760AF94B6CF644131CA5CC72A1DFBFA985CB40

Function 00007FF642178980 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF642178A0B
GetProcAddress.KERNEL32 ref: 00007FF642178A20

Strings

NtCreateKeyedEvent, xrefs: 00007FF642178A16
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421789A5
ntdll, xrefs: 00007FF642178A04

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$called `Result::unwrap()` on an `Err` value$ntdll
API String ID: 1646373207-364940113
Opcode ID: de42f339dbfafa86921544b06341b63750b0d3bc1e629570e7857f4c336c5b4a
Instruction ID: 47638061154ed28a884c737b3eba9522e2c37367c581d7c2f2a05067054e2dc4
Opcode Fuzzy Hash: de42f339dbfafa86921544b06341b63750b0d3bc1e629570e7857f4c336c5b4a
Instruction Fuzzy Hash: C811A221F1CB4598E700FB61E8802A82774BB98768F644231DE5CC3B90EFB9A589C700

Function 00007FF64219EC0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF64219EC31
GetProcAddress.KERNEL32 ref: 00007FF64219EC47
FreeLibrary.KERNEL32 ref: 00007FF64219EC6E

Strings

CorExitProcess, xrefs: 00007FF64219EC40
mscoree.dll, xrefs: 00007FF64219EC28

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e9f060037b8fd1a9900d5e8e40cb5b126823032bb8d8f3b3b1ab61e00947e4da
Instruction ID: e4f863eb814d26225aa4920435e4bf60202775bca0ec7cbc4402ef784e698d25
Opcode Fuzzy Hash: e9f060037b8fd1a9900d5e8e40cb5b126823032bb8d8f3b3b1ab61e00947e4da
Instruction Fuzzy Hash: 3DF0446170CB0681EB10BB24E49437A5370BF48B69F640235DB6EC72E4DFAED049CB00

Function 00007FF642165ED3 Relevance: 7.6, APIs: 6, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642165F08
CloseHandle.KERNEL32 ref: 00007FF642165F55
CloseHandle.KERNEL32 ref: 00007FF642165F6C
CloseHandle.KERNEL32 ref: 00007FF642165F83
HeapFree.KERNEL32 ref: 00007FF6421660B3

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FreeHeap
String ID:
API String ID: 2735614835-0
Opcode ID: 114ebed87ecc461a6c81ac0434252ff432b6bce6d1b019d28e43bdd067ec5db9
Instruction ID: 7419a904c04c2dcf34c570fbf97e28069ced969675136f3359069dc844d7484a
Opcode Fuzzy Hash: 114ebed87ecc461a6c81ac0434252ff432b6bce6d1b019d28e43bdd067ec5db9
Instruction Fuzzy Hash: E6518531A0D69186EB64BB1688842BD6351EF45BD8F682131CF2ED77D4DEBEE4418700

Function 00007FF6421A7B04 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6421A7B2C
_set_statfp.LIBCMT ref: 00007FF6421A7B47
_set_statfp.LIBCMT ref: 00007FF6421A7B63
_set_statfp.LIBCMT ref: 00007FF6421A7B9F

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: b8f7bd5d016da8336fc6820fa5de9a12b5f293b900ec8a6f8aca29d9e9172529
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6711C1A2E1DE0705FB743128D55237D10406F9837CF790675EB6EC76E68EAEAA4A8900

Function 00007FF64219FCC4 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,00000000,00007FF64219FE2B,?,?,00000000,00007FF6421A00C6,?,?,?,?,?,00007FF6421A0052), ref: 00007FF64219FCE3
FlsSetValue.KERNEL32(?,?,00000000,00007FF64219FE2B,?,?,00000000,00007FF6421A00C6,?,?,?,?,?,00007FF6421A0052), ref: 00007FF64219FD02
FlsSetValue.KERNEL32(?,?,00000000,00007FF64219FE2B,?,?,00000000,00007FF6421A00C6,?,?,?,?,?,00007FF6421A0052), ref: 00007FF64219FD2A
FlsSetValue.KERNEL32(?,?,00000000,00007FF64219FE2B,?,?,00000000,00007FF6421A00C6,?,?,?,?,?,00007FF6421A0052), ref: 00007FF64219FD3B
FlsSetValue.KERNEL32(?,?,00000000,00007FF64219FE2B,?,?,00000000,00007FF6421A00C6,?,?,?,?,?,00007FF6421A0052), ref: 00007FF64219FD4C

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 10c1b15db0d9e69b7360fb64859d65a1c643bac1d3934fe6005dbef432cf6c38
Instruction ID: 4f2f2338cdda9adc8a7feb2fcb024181e036516083aacc68d16dd4dfffc5a208
Opcode Fuzzy Hash: 10c1b15db0d9e69b7360fb64859d65a1c643bac1d3934fe6005dbef432cf6c38
Instruction Fuzzy Hash: C1117220E0D64292FA58B329554123992815F447BCF384335DB3DC76D6EDEFE822CE00

Function 00007FF64219FB58 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF64219FB69
FlsSetValue.KERNEL32 ref: 00007FF64219FB88
FlsSetValue.KERNEL32 ref: 00007FF64219FBB0
FlsSetValue.KERNEL32 ref: 00007FF64219FBC1
FlsSetValue.KERNEL32 ref: 00007FF64219FBD2

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 52c3098bb3d2d5b0921bbef1f3f1f7ce673cb4b8044c4f76f6e3757f50ffd989
Instruction ID: e5d0e3e00ceaef2b210aa9a2810499d96adb01fd9a6bda28a5c343f988b0b53d
Opcode Fuzzy Hash: 52c3098bb3d2d5b0921bbef1f3f1f7ce673cb4b8044c4f76f6e3757f50ffd989
Instruction Fuzzy Hash: 89115A14A0D24392FA68BA26446227951814F4477CF384738DB3FCB2D2EDEFB822DE01

Function 00007FF64218ABCF Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF64218ABD1
GetLastError.KERNEL32 ref: 00007FF64218ABED
GetCurrentProcess.KERNEL32 ref: 00007FF64218AD7E
DuplicateHandle.KERNEL32 ref: 00007FF64218ADA9
GetLastError.KERNEL32 ref: 00007FF64218ADB9

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorHandleLast$CurrentDuplicateProcess
String ID:
API String ID: 3697983210-0
Opcode ID: 66e8b521d7ab11fdc0f8415cc66ee55bf59a9d372ac864cdebc574e463c595b6
Instruction ID: 6215f449b204e0ea3bebd720bfdbda13da466074d6ddadb7947a96131cb79602
Opcode Fuzzy Hash: 66e8b521d7ab11fdc0f8415cc66ee55bf59a9d372ac864cdebc574e463c595b6
Instruction Fuzzy Hash: F2112161B0CA0186FB60BBA1A4853BD2660AF447ADF240239CF5DC77C5DFFE95898B50

Function 00007FF64219CB98 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF64219CBE4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF64219CC33

Strings

MOC, xrefs: 00007FF64219CBF8
RCC, xrefs: 00007FF64219CC01

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 109cb2fe54b35d8bb1d44f4b237a1c854c54e1c771541eb03d13f088e3a6d46b
Instruction ID: 9d3732f2c72e0986ee1afe4207866a09580ce48b4bf6649884d91085805b4146
Opcode Fuzzy Hash: 109cb2fe54b35d8bb1d44f4b237a1c854c54e1c771541eb03d13f088e3a6d46b
Instruction Fuzzy Hash: 0B614D76A08B85CAE710AF65D4403AD7BA0FB48B8CF244225DF8D97B94CF79E165CB40

Function 00007FF64219CEF4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64219CF1C
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF64219D004

Strings

csm, xrefs: 00007FF64219CF3E
csm, xrefs: 00007FF64219D056

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 235481634b9598564d7783057544c2066f85393b7fe67a768a17d1646a1f7a83
Instruction ID: 5674dedef05c9d7102269d4adb18238a428becda6bb957c8145648fc06f986a5
Opcode Fuzzy Hash: 235481634b9598564d7783057544c2066f85393b7fe67a768a17d1646a1f7a83
Instruction Fuzzy Hash: B9519D7290C682C6EA24BF21D44436876A0EB58B98F284135DB9DC7A95CFBEE461CF04

Function 00007FF642195AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF642195030: HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF64219508C
Part of subcall function 00007FF642195030: HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF6421950F6

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF642195BEB
WakeAllConditionVariable.KERNEL32 ref: 00007FF642195C12

Strings

assertion failed: injected && !worker_thread.is_null()C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\registry.rs, xrefs: 00007FF642195CA8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF642195C70

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap$AcquireConditionExclusiveLockVariableWake
String ID: assertion failed: injected && !worker_thread.is_null()C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\rayon-core-1.12.1\src\registry.rs$called `Result::unwrap()` on an `Err` value
API String ID: 2149175250-2936071865
Opcode ID: 10cd90343652960ae856554adba5c41d7848bda52d320045cba301882e718df0
Instruction ID: c7ed6245220b55e079e15664b8d7b9714a5cbecd8d5634c43459a13c3412e253
Opcode Fuzzy Hash: 10cd90343652960ae856554adba5c41d7848bda52d320045cba301882e718df0
Instruction Fuzzy Hash: 0961531190CAC591F661AB28E4013F9A760FF9475CF549131DBCD93662EF6EE1DACB00

Function 00007FF64216465B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memorysleepCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF64216465B
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF64216482F
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF642164A16
Sleep.KERNEL32 ref: 00007FF642164AAC
HeapFree.KERNEL32 ref: 00007FF642164B6D
HeapFree.KERNEL32 ref: 00007FF642164BAD

Strings

stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length, xrefs: 00007FF6421647B2

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExclusiveLock$FreeHeapRelease$AcquireSleep
String ID: stdoutlibrary\std\src\io\mod.rsadvancing io slices beyond their length
API String ID: 2475328964-3145101877
Opcode ID: 79730f0271721ccf683b51c4ad5348d038b8df33ec6ab605c8fe28823bbde194
Instruction ID: 0078b0c1436f9ce09f8578d81129b022af5409f9bdd3d393b1639e01cc5a286e
Opcode Fuzzy Hash: 79730f0271721ccf683b51c4ad5348d038b8df33ec6ab605c8fe28823bbde194
Instruction Fuzzy Hash: 7A610936A0DA8189EB70AF24D8807E923A4FB4574CF64113ACB5DC7794DFBEA644C740

Function 00007FF6421981F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

CallNtPowerInformation.POWRPROF ref: 00007FF6421982E0

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

CallNtPowerInformation.POWRPROF ref: 00007FF642198263
HeapFree.KERNEL32 ref: 00007FF6421982C0

Strings

unknownARM x64C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\cpu.rs, xrefs: 00007FF6421981F8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CallHeapInformationPower$FreeProcess
String ID: unknownARM x64C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\cpu.rs
API String ID: 1351286460-2377213474
Opcode ID: b9d087bd9391b43aef60062ced9162c444aa62f2417d8964da2eeb67194f3ae6
Instruction ID: 1554c9f444a5d97c5221c194fbaf42b26ab58b3dbbbdc81a4b76952075ca642a
Opcode Fuzzy Hash: b9d087bd9391b43aef60062ced9162c444aa62f2417d8964da2eeb67194f3ae6
Instruction Fuzzy Hash: 0741F572A1D64282F715BF16A80432A62D1BF45798F658934CF8DC7390EFBEE545CB00

Function 00007FF642178B60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6421783CE), ref: 00007FF642178C8C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6421783CE), ref: 00007FF642178CA1

Strings

NtReleaseKeyedEvent, xrefs: 00007FF642178C97
ntdll, xrefs: 00007FF642178C85

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: ac648174810df1729c868640992e2bd5a4d2a3e4e2fe350e5af2acf71b23bbf5
Instruction ID: b460fdee634d5d0e304d09013a8d810222682816c73fb525a947e56fe21ec46c
Opcode Fuzzy Hash: ac648174810df1729c868640992e2bd5a4d2a3e4e2fe350e5af2acf71b23bbf5
Instruction Fuzzy Hash: 52318466A0EA4981EE50FB06F8403B967A1EB98B88F654035DE4DC3764DEBDD445DB00

Function 00007FF6421977F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

ReadProcessMemory.KERNEL32(?,?,?,?,?,?,00007FF642196C98), ref: 00007FF642197868
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF642196C98), ref: 00007FF642197890
HeapFree.KERNEL32(?,?,?,?,?,?,00007FF642196C98), ref: 00007FF6421978D1

Strings

ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\process.rs, xrefs: 00007FF6421978A9

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: HeapProcess$ErrorFreeLastMemoryRead
String ID: ReadProcessMemory returned unexpected number of bytes readUnable to read process dataC:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001f\sysinfo-0.30.5\src\windows\process.rs
API String ID: 1816195746-2331781313
Opcode ID: f982e367781bb5e954ac2490a5636e33ba36dbde12c6a7960b8144e3a4fe35cd
Instruction ID: 0d2b9bd90f46013c156d550ea6f5521da2b29b553d4ce36bd6dd9f964bccef5d
Opcode Fuzzy Hash: f982e367781bb5e954ac2490a5636e33ba36dbde12c6a7960b8144e3a4fe35cd
Instruction Fuzzy Hash: 8321B261A0CA4291E720BB12B84437A62A4EF487E8F644530DF9DC77E0DFBDD156CB00

Function 00007FF64216C830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,00000000,?,00000002,?,00007FF6421AA263), ref: 00007FF64216C856
WakeConditionVariable.KERNEL32(?,?,00000000,?,00000002,?,00007FF6421AA263), ref: 00007FF64216C885
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,?,00000002,?,00007FF6421AA263), ref: 00007FF64216C8A7

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64216C8E1

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1466638765-2333694755
Opcode ID: eba9fc01b6a9d1c408c86e405b4f31a0f9db797720e7b3c72b65fd809337a6d6
Instruction ID: c5281b3530ad8cf4da98af7a50e64381a24a04f7aa6509f90975a97b03013922
Opcode Fuzzy Hash: eba9fc01b6a9d1c408c86e405b4f31a0f9db797720e7b3c72b65fd809337a6d6
Instruction Fuzzy Hash: 2221A222E0CAC642FB35BB15A4442BD2760AF44798F680031DF9DC77A1DFAEE54ACB50

Function 00007FF6421788B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF64217892C
GetProcAddress.KERNEL32 ref: 00007FF642178941

Strings

NtWaitForKeyedEvent, xrefs: 00007FF642178937
ntdll, xrefs: 00007FF642178925

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 807cfb51dc01d980b4f2d185bdc6e465eb678390421a456197fafae7718a9404
Instruction ID: f39adf7a10394e050a03bbeae8a1f4ada7857f2e6b081b7bc07d3497e1c0d2a8
Opcode Fuzzy Hash: 807cfb51dc01d980b4f2d185bdc6e465eb678390421a456197fafae7718a9404
Instruction Fuzzy Hash: 79118121A1DB8181EA10FB01E8803556760FBD8798F644135EA8DC3B64EFBDD589CF00

Function 00007FF64217A280 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF64217A293
GetProcAddress.KERNEL32 ref: 00007FF64217A2A8

Strings

SetThreadDescription, xrefs: 00007FF64217A29E
kernel32, xrefs: 00007FF64217A28C

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 7ac23fb82f3bccca20251f2f2946cb3405ab1b6b01346f2d376141e90fb7919d
Instruction ID: 266b1f2eecb7005dcffffc66e3c965c1a4bb6740228a12f99d5fe24a3965f82f
Opcode Fuzzy Hash: 7ac23fb82f3bccca20251f2f2946cb3405ab1b6b01346f2d376141e90fb7919d
Instruction Fuzzy Hash: 3BE0ED18F0EA4281EE49BB16ED8416426616F98BD9F744536CE0DC3764EEEEA489CB00

Function 00007FF64218F620 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF64218F62F
GetProcAddress.KERNEL32 ref: 00007FF64218F644

Strings

kernel32, xrefs: 00007FF64218F628
GetSystemTimePreciseAsFileTime, xrefs: 00007FF64218F63A

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: 71d434fb3064ebe718e67f3467315527de2388df68e612c2c92abae684c1dec9
Instruction ID: 62e7ddcc14438a9e154e43808b56182c98e2ff97ee166351c2653f8fde6eefb5
Opcode Fuzzy Hash: 71d434fb3064ebe718e67f3467315527de2388df68e612c2c92abae684c1dec9
Instruction Fuzzy Hash: AEE09A14F0DA5291FE55FB55A8841B42260AF58B59FA44235CA0DC3360FFEEA55ACB40

Function 00007FF6421A5808 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6421A5887
WriteFile.KERNEL32 ref: 00007FF6421A5B4F
WriteFile.KERNEL32 ref: 00007FF6421A5B95
GetLastError.KERNEL32 ref: 00007FF6421A5C4B

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 8875820102c5dbf4130b7a74e23a79fa082a0c67c06a05f52fd5a5adac179917
Instruction ID: d9dd7701e05cd0fa554dab28ed9a6d8e5abe5932736ac066618871a4e3b14372
Opcode Fuzzy Hash: 8875820102c5dbf4130b7a74e23a79fa082a0c67c06a05f52fd5a5adac179917
Instruction Fuzzy Hash: 00D1DE62F0CA8599E710EF65D4402AC37B1EB44BDCB204226CF5ED7B99DE79D40ACB00

Function 00007FF6421A6130 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00007FF6421A611B,00000000), ref: 00007FF6421A624C
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00007FF6421A611B,00000000), ref: 00007FF6421A62D7

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6630e0d82ca14e8d4c24bbfd1099a455c0df43720e44df9b8894130ebf72bb4f
Instruction ID: 9309f1e201bf392bf5ecc5b414c84eceb0990cd502e52b3be07722a5d6e30abf
Opcode Fuzzy Hash: 6630e0d82ca14e8d4c24bbfd1099a455c0df43720e44df9b8894130ebf72bb4f
Instruction Fuzzy Hash: 4091A262F1C69195FB60BF6594402BD2BA0AB44B8CF344139DF4ED7685CFBAD44ACB00

Function 00007FF64218C970 Relevance: 6.1, APIs: 4, Instructions: 93memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64218F680: GetProcessHeap.KERNEL32(?,?,?,?,00007FF64217875D,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF64218F697

CreateThread.KERNEL32 ref: 00007FF64218C9D8
HeapFree.KERNEL32 ref: 00007FF64218CA28
HeapFree.KERNEL32 ref: 00007FF64218CA3A
GetLastError.KERNEL32 ref: 00007FF64218CA40

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Heap$Free$CreateErrorLastProcessThread
String ID:
API String ID: 4090155190-0
Opcode ID: 82e06ff88743de9c6c97f8494ad63ea7dcc97d513f3791ecfca58220f22b5a38
Instruction ID: 39e5828e718f5b09cc55ecf577b12410f576ec2e20410652eea60e9c1351b8c5
Opcode Fuzzy Hash: 82e06ff88743de9c6c97f8494ad63ea7dcc97d513f3791ecfca58220f22b5a38
Instruction Fuzzy Hash: A131A536B08B4085F710AB62E8412AD6761BB88BE8F148535DF5CD3794DFBDD486C740

Function 00007FF64218D15A Relevance: 6.1, APIs: 4, Instructions: 87fileCOMMON

Download Yara Rule

APIs

WriteFileEx.KERNEL32 ref: 00007FF64218D233
SleepEx.KERNEL32 ref: 00007FF64218D25A
CloseHandle.KERNEL32 ref: 00007FF64218D406
CloseHandle.KERNEL32 ref: 00007FF64218D40F
CloseHandle.KERNEL32 ref: 00007FF64218D4AF
CloseHandle.KERNEL32 ref: 00007FF64218D4B8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FileSleepWrite
String ID:
API String ID: 3423119723-0
Opcode ID: 5934cf6e98bb280f186700b8dddc855a85aba575023afbb02a5d7662604a1fda
Instruction ID: 0657adad5c16bd8e2048905c6280cfcf2bda60112da3ff7990787ab60b379f85
Opcode Fuzzy Hash: 5934cf6e98bb280f186700b8dddc855a85aba575023afbb02a5d7662604a1fda
Instruction Fuzzy Hash: E4315C22A08BC689E771BF3598407F927A1FB4479CF144132DE8CC7B99CEB99596DA00

Function 00007FF64218D184 Relevance: 6.1, APIs: 4, Instructions: 85fileCOMMON

Download Yara Rule

APIs

WriteFileEx.KERNEL32 ref: 00007FF64218D233
SleepEx.KERNEL32 ref: 00007FF64218D25A
CloseHandle.KERNEL32 ref: 00007FF64218D406
CloseHandle.KERNEL32 ref: 00007FF64218D40F
CloseHandle.KERNEL32 ref: 00007FF64218D4AF
CloseHandle.KERNEL32 ref: 00007FF64218D4B8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FileSleepWrite
String ID:
API String ID: 3423119723-0
Opcode ID: 61855a40b7052ffe6c97599b3f6ad9dc699b55571c0e9826dfff301eedf0bc9a
Instruction ID: b30578ac388c7c86722af41186050f9f57023e0e3bce46ccbc1583bd34d7c185
Opcode Fuzzy Hash: 61855a40b7052ffe6c97599b3f6ad9dc699b55571c0e9826dfff301eedf0bc9a
Instruction Fuzzy Hash: DA316C22A08BC688E771BF3598407F927A0FB4479CF144132DE8CC7B98CFB99196DA00

Function 00007FF64218D188 Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON

Download Yara Rule

APIs

WriteFileEx.KERNEL32 ref: 00007FF64218D233
SleepEx.KERNEL32 ref: 00007FF64218D25A
CloseHandle.KERNEL32 ref: 00007FF64218D406
CloseHandle.KERNEL32 ref: 00007FF64218D40F
CloseHandle.KERNEL32 ref: 00007FF64218D4AF
CloseHandle.KERNEL32 ref: 00007FF64218D4B8

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CloseHandle$FileSleepWrite
String ID:
API String ID: 3423119723-0
Opcode ID: abf077b8a892d9f4d2ec4466fc4b084af3ddada2ec041a1e4bdd095f7ea85d65
Instruction ID: eb60ad0c3fa1653ed1868a059ec3ca1b5ce709cec2c13b28e62c8c2d3f178d94
Opcode Fuzzy Hash: abf077b8a892d9f4d2ec4466fc4b084af3ddada2ec041a1e4bdd095f7ea85d65
Instruction Fuzzy Hash: 25314C22908BC688E771BF2598407F927A0FB4479DF544132EE8CC7B99CFB99596DB00

Function 00007FF64217A7C1 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64217ACC0: GetModuleHandleW.KERNEL32 ref: 00007FF64217AD23
Part of subcall function 00007FF64217ACC0: FormatMessageW.KERNEL32 ref: 00007FF64217AD6A

HeapFree.KERNEL32 ref: 00007FF64217A938

Strings

codemessage)HRESULT(, xrefs: 00007FF64217A7F7
}0x, xrefs: 00007FF64217A89D
Oskind, xrefs: 00007FF64217A7D0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FormatFreeHandleHeapMessageModule
String ID: }0x$Oskind$codemessage)HRESULT(
API String ID: 3599032235-664653352
Opcode ID: 0c24bde573fb928e6e20acccfad721a0c0bc7e11d230015bed9672254baf7f60
Instruction ID: f9790f36bdd3b7ac849e0ada9560cd978167fd220cce689b4536ae33d1d98081
Opcode Fuzzy Hash: 0c24bde573fb928e6e20acccfad721a0c0bc7e11d230015bed9672254baf7f60
Instruction Fuzzy Hash: 69413C26B1CA5685EB10FB61D4407AD2BB0AB88B8CF200136CF4D97B55CFBED645CB10

Function 00007FF64219A66C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF64219A698
GetCurrentThreadId.KERNEL32 ref: 00007FF64219A6A6
GetCurrentProcessId.KERNEL32 ref: 00007FF64219A6B2
QueryPerformanceCounter.KERNEL32 ref: 00007FF64219A6C2

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0d8be27c9e3446b523b68380b9948fe79f6296bd376a8e569b0843d88f76d027
Instruction ID: d4c4911ddf23760092a5af3f3b190049cdbdf195e219c99819ede0fad61aa75b
Opcode Fuzzy Hash: 0d8be27c9e3446b523b68380b9948fe79f6296bd376a8e569b0843d88f76d027
Instruction Fuzzy Hash: 8F114C26B18F4189EB00EF60E8552A933A4FB19B5CF140A31DB6DC37A4DFB9D1698740

Function 00007FF6421AA280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32 ref: 00007FF6421AA2C5
SleepConditionVariableSRW.KERNEL32 ref: 00007FF6421AA456

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF6421AA4A7

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AcquireConditionExclusiveLockSleepVariable
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 97112084-2333694755
Opcode ID: 220088b57b201f3931872333218eb2fb876a27f4dd94a9847187041c9d5098ce
Instruction ID: 42582c8fe239ce99af6ff87ca3bca9092e9ff3d8f4332c46d2dcb76071f56ccc
Opcode Fuzzy Hash: 220088b57b201f3931872333218eb2fb876a27f4dd94a9847187041c9d5098ce
Instruction Fuzzy Hash: E851C122A0DB9181EB21BB15D4043792B60EB55B68F294236DFADC33D1DFBED489C740

Function 00007FF64219A000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF64219A127
_RTC_Initialize.LIBCMT ref: 00007FF64219A148

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF64219A0E6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: Initialize_set_fmode
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3059891073-2333694755
Opcode ID: d43dd30a0cc37ce1ba64fbaf45ffb74524f7f6b049562404a014cef22b497bb7
Instruction ID: e24b398598eb648ab1ba4ba372f186712fa1b9e0692313862b4617db27e92ec0
Opcode Fuzzy Hash: d43dd30a0cc37ce1ba64fbaf45ffb74524f7f6b049562404a014cef22b497bb7
Instruction Fuzzy Hash: 2B518121E1C606C2EA487B7595552BD2361AF84788F240032EB4EC3B86DFAFE569CF41

Function 00007FF6421784D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

WaitOnAddress.KERNELBASE ref: 00007FF642178542
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000,?,?), ref: 00007FF6421785B6

Strings

use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 00007FF6421785E5

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: AddressCloseHandleWait
String ID: use of std::thread::current() is not possible after the thread's local data has been destroyed
API String ID: 592885855-1431102515
Opcode ID: d80228a26bcedfffe53632c8001855e7cce87a0c82cadc90cc9a3ee33dc584ce
Instruction ID: 5a13a2f274cc014116f4f239ecd8270ef49a39e0764e3a65840af0d292afeb7d
Opcode Fuzzy Hash: d80228a26bcedfffe53632c8001855e7cce87a0c82cadc90cc9a3ee33dc584ce
Instruction Fuzzy Hash: F651B026A09A4298FB11BB65EC407A92764BF8477CF654732DF2CC37D4DFBA94468700

Function 00007FF642191B40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

ReleaseSRWLockShared.KERNEL32 ref: 00007FF6421919E9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF642191E35

Strings

<unnamed>, xrefs: 00007FF642191C32
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF642191CCE

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: LockRelease$ExclusiveShared
String ID: <unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 279184637-616897820
Opcode ID: 7d7d2886259c6564fd32274b6c9a61a7df82f98bd851e4b0c2d984a148ae96df
Instruction ID: 69cff025291a219395726d4eb6a79e528565b04abaf08e7a4b5096bc81154605
Opcode Fuzzy Hash: 7d7d2886259c6564fd32274b6c9a61a7df82f98bd851e4b0c2d984a148ae96df
Instruction Fuzzy Hash: AD514636A0DA8188EB51BF65D4802B837A1BB58B8CF644032DF4DC37A5DFAEE455CB41

Function 00007FF642191B38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

ReleaseSRWLockShared.KERNEL32 ref: 00007FF6421919E9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF642191E35

Strings

<unnamed>, xrefs: 00007FF642191C32
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF642191CCE

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: LockRelease$ExclusiveShared
String ID: <unnamed>$cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs
API String ID: 279184637-616897820
Opcode ID: 39ae95b467ac9e5c7c66673b6c0d11df1c5937850569e09270ca9a3b12895e96
Instruction ID: 910c5830d5a44afba1f5eda5eb62fc7eee21d6341fc31938065a26562b7f4a1a
Opcode Fuzzy Hash: 39ae95b467ac9e5c7c66673b6c0d11df1c5937850569e09270ca9a3b12895e96
Instruction Fuzzy Hash: BC512636A0DA8188EB51BF65D4802B837A1BB58B8CF644032DB4DC37A5DFAAE455CB41

Function 00007FF6421A5EA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6421A5FB7
GetLastError.KERNEL32 ref: 00007FF6421A5FD9

Strings

U, xrefs: 00007FF6421A5F63

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3ff687fd7e7d8f1f2e5c4389899c042159ca8b4cc9ce9a172e96bb05df430e88
Instruction ID: 0350e0a8ca09fa0947242d2f0f90173d27e75eec054fc6d6c8eaf26a51cb4efb
Opcode Fuzzy Hash: 3ff687fd7e7d8f1f2e5c4389899c042159ca8b4cc9ce9a172e96bb05df430e88
Instruction Fuzzy Hash: F241A262B1CA8196DB20AF65E4443AA6760FB84BD8F604031EF4EC7798EFBDD445CB00

Function 00007FF64219DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00007FF64219DE50
RaiseException.KERNEL32 ref: 00007FF64219DE91

Strings

csm, xrefs: 00007FF64219DE7E

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 883a0065c4fa0e1550a9946e3da064db8281e95a61c9c5dd8f7c9e5845b28b3d
Instruction ID: af73cb3472e60f62c48854bb458d8aebee45c79040e2a26c79a021e8359dc30d
Opcode Fuzzy Hash: 883a0065c4fa0e1550a9946e3da064db8281e95a61c9c5dd8f7c9e5845b28b3d
Instruction Fuzzy Hash: 25114C32608B4182EB60AF15E400269B7E4FB98B98F684270DF8C87758DF7DD551CB00

Function 00007FF642180ECA Relevance: 5.2, APIs: 4, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00007FF642181496
HeapFree.KERNEL32 ref: 00007FF6421814B0

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3d27bfe1a79bc11b3a63879303dfb2ae74f8945ce12e4f151717bd9fb5bb8369
Instruction ID: 1b2192686fbdd3d61aa85577cc2b883ee5ac18e159214c1253c97850d7a9d735
Opcode Fuzzy Hash: 3d27bfe1a79bc11b3a63879303dfb2ae74f8945ce12e4f151717bd9fb5bb8369
Instruction Fuzzy Hash: 0FA19C22A0CBC589E721AF35D8403F927A2FB5578CF549231DB8D8B65ADFB9E185C700

Function 00007FF642195030 Relevance: 5.1, APIs: 4, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF64219508C
HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF6421950F6
HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF64219517C
HeapFree.KERNEL32(?,?,00000000,?,?), ref: 00007FF6421951E6

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: abce01e59cf06bfddaaed37fe6e2481b8dda4bdcb6d2153c5bcf55c26926d91f
Instruction ID: 2a571b7eddac739a677b8df74e8f09e3a60840c53def4d691a4be2186f4c0ef9
Opcode Fuzzy Hash: abce01e59cf06bfddaaed37fe6e2481b8dda4bdcb6d2153c5bcf55c26926d91f
Instruction Fuzzy Hash: 41413F26A0DA41D5E725BF12A94076AA760FB48BD8F684031CF4ED7754DF7EE4A1CB00

Function 00007FF64216DDFE Relevance: 5.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174606487.00007FF642161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF642160000, based on PE: true

Associated: 00000000.00000002.2174589767.00007FF642160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174642367.00007FF6421AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174668192.00007FF6421CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174685693.00007FF6421CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff642160000_praxisbackup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baaba98fa9066360a80adca798b99bf6d1efd932463139389e9b9ad12c29d50
Instruction ID: 5e1c08b2468b18792e072a4f8dfc89235a16a5dfd2efa8d16c6391d32b98bbf7
Opcode Fuzzy Hash: 0baaba98fa9066360a80adca798b99bf6d1efd932463139389e9b9ad12c29d50
Instruction Fuzzy Hash: 1A514236A0CA8281E764FB46E49837D7361EB85B88F655071CB4DC36A4CFBED486CB41

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report praxisbackup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_praxisbackup.exe_fa851c8bd9c5583f741cfa88ae4a1244eeb19db5_9be301e6_7c27b446-6383-4edf-b7b5-fb839c6564ce\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB2F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBAD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBED.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBFA.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC3A.tmp.txt

C:\Windows\System32\drivers\Sysprox.sys

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

UDP Packets

Statistics

Windows Analysis Report
praxisbackup.exe

Function 00007FF6421654B8 Relevance: 64.3, APIs: 30, Strings: 6, Instructions: 1255
memoryCOMMON

Function 00007FF6421991C0 Relevance: 47.7, APIs: 22, Strings: 5, Instructions: 497
memorylibraryloaderCOMMON

Function 00007FF642199350 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 367
memoryCOMMON

Function 00007FF642181A20 Relevance: 10.7, APIs: 7, Instructions: 192
filememoryCOMMON

Function 00007FF642179610 Relevance: 4.6, APIs: 3, Instructions: 66
filenativesynchronizationCOMMON

Function 00007FF642164F43 Relevance: 18.1, APIs: 5, Strings: 5, Instructions: 584
memorywindowCOMMON

Function 00007FF6421918C0 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 387
COMMON

Function 00007FF64217FE30 Relevance: 12.2, APIs: 8, Instructions: 173
memoryCOMMON

Function 00007FF6421674F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
memorythreadCOMMON

Function 00007FF64216577C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 447
memoryCOMMON

Function 00007FF64219A1F4 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Function 00007FF642177C10 Relevance: 4.5, APIs: 3, Instructions: 38
threadmemoryCOMMON

Function 00007FF6421917C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67
memoryCOMMON

Function 00007FF642180820 Relevance: 2.6, APIs: 2, Instructions: 104
COMMON

Function 00007FF6421A2528 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON