Edit tour

Windows Analysis Report
gEP8SOoakR.exe

Overview

General Information

Sample name:	gEP8SOoakR.exe renamed because original name is a hash value
Original sample name:	1af918875c67d204941ec2c8a780e312.exe
Analysis ID:	1542677
MD5:	1af918875c67d204941ec2c8a780e312
SHA1:	ce9e2ce0460d9536f863c4fc4042958207f0802a
SHA256:	3621c6a555e79fd6640b3073b245d4e3b225d7a73403e2529d13a82a2b228c7f
Tags:	64exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Hijacks the control flow in another process

Machine Learning detection for sample

Sets debug register (to hijack the execution of another thread)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gEP8SOoakR.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\gEP8SOoakR.exe" MD5: 1AF918875C67D204941EC2C8A780E312)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

gEP8SOoakR.exe (PID: 6192 cmdline: C:\Users\user\Desktop\gep8sooakr.exe 1028 MD5: 1AF918875C67D204941EC2C8A780E312)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gEP8SOoakR.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: gEP8SOoakR.exe

Joe Sandbox ML: detected

Source: gEP8SOoakR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /obj/Release/net45/CommandLineArgumentsParser.pdb source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdbSHA256 source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\snaffler\SnaffCore\obj\Release\SnaffCore.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256ySI source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp

Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/3
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/5
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/ws/T
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/j-maly/CommandLineParser
Source: gEP8SOoakR.exe, 00000003.00000003.2121654717.0000025909829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hooks.slack.com/services/T
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://nlog-project.org/
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush,	0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,	3_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864BEE0 NtTraceEvent,	3_2_00007FF61864BEE0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864BF80 GetThreadContext,NtTraceEvent,SetThreadContext,BaseThreadInitThunk,BaseThreadInitThunk,	3_2_00007FF61864BF80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk,SetThreadContext,NtTraceEvent,	3_2_00007FF6186FCED8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB1B10 NtProtectVirtualMemory,NtCreateSection,	3_2_0000025906CB1B10
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB1BA8 NtCreateSection,	3_2_0000025906CB1BA8

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864C240	0_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864F6D0	0_2_00007FF61864F6D0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61865A58A	0_2_00007FF61865A58A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618646970	0_2_00007FF618646970
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618644A80	0_2_00007FF618644A80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618646760	0_2_00007FF618646760
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864B420	0_2_00007FF61864B420
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864E7F0	0_2_00007FF61864E7F0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618652CA0	0_2_00007FF618652CA0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618650460	0_2_00007FF618650460
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864C240	3_2_00007FF61864C240
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864F6D0	3_2_00007FF61864F6D0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618652CA0	3_2_00007FF618652CA0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618650460	3_2_00007FF618650460
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61865A58A	3_2_00007FF61865A58A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618646970	3_2_00007FF618646970
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618644A80	3_2_00007FF618644A80
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618646760	3_2_00007FF618646760
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864B420	3_2_00007FF61864B420
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864E7F0	3_2_00007FF61864E7F0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB0999	3_2_0000025906CB0999
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB0B36	3_2_0000025906CB0B36
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB0730	3_2_0000025906CB0730
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB0AB3	3_2_0000025906CB0AB3
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_0000025906CB0BAD	3_2_0000025906CB0BAD
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E61930	3_2_00007FF848E61930
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E6C6DE	3_2_00007FF848E6C6DE
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E690F2	3_2_00007FF848E690F2
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E619E0	3_2_00007FF848E619E0
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E696BC	3_2_00007FF848E696BC
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E60680	3_2_00007FF848E60680
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E618D3	3_2_00007FF848E618D3
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E618B0	3_2_00007FF848E618B0

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: String function: 00007FF6186420F0 appears 78 times
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: String function: 00007FF61864E170 appears 48 times
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: String function: 00007FF6186461C0 appears 86 times

Source: gEP8SOoakR.exe

Static PE information: Number of sections : 12 > 10

Source: gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B646000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025909131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000003.2121654717.0000025909829000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnaffler.exe2 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNett.dll* vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnaffler.exe2 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnaffCore.dll4 vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: _originalFileName vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll: vs gEP8SOoakR.exe
Source: gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCommandLineArgumentsParser.dllV vs gEP8SOoakR.exe

Source: classification engine

Classification label: mal72.evad.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,

0_2_00007FF61864D570

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gep8sooakr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03

Source: gEP8SOoakR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gEP8SOoakR.exe "C:\Users\user\Desktop\gEP8SOoakR.exe"
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028	Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gEP8SOoakR.exe

Static PE information: More than 235 > 100 exports found

Source: gEP8SOoakR.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gEP8SOoakR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /obj/Release/net45/CommandLineArgumentsParser.pdb source: gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\dev\nett\Source\Nett\obj\Release\net40\Nett.pdbSHA256 source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591B3AC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591BBAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136559465.0000025908B70000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\snaffler\SnaffCore\obj\Release\SnaffCore.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136232211.0000025908870000.00000004.08000000.00040000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.0000025919941000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: gEP8SOoakR.exe, 00000000.00000002.2148281849.0000023B7B8C0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148438414.0000023B7BACC000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148595797.0000023B7BCC3000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2148126231.0000023B7B6CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147812964.0000023B7B2CD000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000000.00000002.2147967283.0000023B7B4CE000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136609033.0000025908BBF000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136763598.0000025908DB1000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137405137.00000259095B2000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137074507.00000259091B0000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136922310.0000025908FB9000.00000004.00000020.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2137249390.00000259093B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256ySI source: gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.2.gEP8SOoakR.exe.25908af0000.2.raw.unpack, ModuleLoader.cs

.Net Code: ReadAssemblyFromResource System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Code function: 0_2_00007FF61864C240 RtlGetVersion,memcpy,GetProcessHeap,GetProcessHeap,exit,exit,memcpy,GetTickCount,Sleep,SleepEx,exit,memcpy,memcpy,GetFileAttributesW,GetFileAttributesW,OpenProcess,GetModuleHandleA,GetProcAddress,memcpy,memcpy,GetFileAttributesW,memcpy,memcpy,HeapCreate,VirtualProtect,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,CreateProcessW,LoadLibraryA,GetProcAddress,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,fwrite,fflush,NtWriteVirtualMemory,NtProtectVirtualMemory,ResumeThread,exit,memcpy,memcpy,fwrite,fflush,fwrite,fflush,

0_2_00007FF61864C240

Source: gEP8SOoakR.exe	Static PE information: section name: .eh_fram
Source: gEP8SOoakR.exe	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E68167 push ebx; ret		3_2_00007FF848E6816A
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF848E600BD pushad ; iretd		3_2_00007FF848E600C1

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Memory allocated: 25907000000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Memory allocated: 25921940000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864D570

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe TID: 1120

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: gEP8SOoakR.exe, 00000003.00000002.2137602174.00000259097B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXP0

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864D570

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864D570

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864C240

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864C240

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF618641154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	0_2_00007FF618641154
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,	0_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF6186FCEE8 CloseHandle,Thread32Next,RtlAddVectoredExceptionHandler,	0_2_00007FF6186FCEE8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 0_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler,	0_2_00007FF6186FCED8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF61864D570 RtlAddVectoredExceptionHandler,memset,CreateToolhelp32Snapshot,Thread32First,Thread32Next,GetCurrentProcessId,CloseHandle,OpenThread,GetThreadContext,NtTraceEvent,SetThreadContext,CloseHandle,GetModuleHandleA,BaseThreadInitThunk,GetModuleHandleA,GetProcAddress,RtlInitUnicodeString,LdrLoadDll,BaseThreadInitThunk,	3_2_00007FF61864D570
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF618641154 GetStartupInfoA,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	3_2_00007FF618641154
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF6186FCEE8 CloseHandle,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk,	3_2_00007FF6186FCEE8
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	Code function: 3_2_00007FF6186FCED8 OpenThread,Thread32Next,RtlAddVectoredExceptionHandler,BaseThreadInitThunk,SetThreadContext,NtTraceEvent,	3_2_00007FF6186FCED8

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtProtectVirtualMemory: Indirect: 0x7FF618654F98	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtWriteVirtualMemory: Indirect: 0x7FF618654CAB	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtProtectVirtualMemory: Indirect: 0x7FF618654D00	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtAllocateVirtualMemory: Indirect: 0x7FF618654B51	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtProtectVirtualMemory: Indirect: 0x7FF618654C80	Jump to behavior
Source: C:\Users\user\Desktop\gEP8SOoakR.exe	NtWriteVirtualMemory: Indirect: 0x7FF618654F5F	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Memory written: PID: 6192 base: 25906CB0000 value: E9

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Thread register set: 6192 4

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Process created: C:\Users\user\Desktop\gEP8SOoakR.exe C:\Users\user\Desktop\gep8sooakr.exe 1028

Jump to behavior

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

0_2_00007FF61864C240

Source: C:\Users\user\Desktop\gEP8SOoakR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gEP8SOoakR.exe	100%	Avira	HEUR/AGEN.1329661
gEP8SOoakR.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://hooks.slack.com/services/T	gEP8SOoakR.exe, 00000003.00000003.2121654717.0000025909829000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nlog-project.org/dummynamespace/	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nlog-project.org/	gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/	gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.nuget.org/packages/NLog.Web.AspNetCore	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/3	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
https://github.com/j-maly/CommandLineParser	gEP8SOoakR.exe, 00000003.00000002.2137807466.0000025909941000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591ABAC000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2136473689.0000025908AC0000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/5	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown
http://nlog-project.org/ws/T	gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591A1FE000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2138843871.000002591997C000.00000004.00000800.00020000.00000000.sdmp, gEP8SOoakR.exe, 00000003.00000002.2143826152.0000025922000000.00000004.08000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542677
Start date and time:	2024-10-26 06:25:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gEP8SOoakR.exe renamed because original name is a hash value
Original Sample Name:	1af918875c67d204941ec2c8a780e312.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 93 Number of non-executed functions: 70
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: gEP8SOoakR.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	http://mychronictravel.eu.org/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01	Get hash	malicious	Unknown	Browse	13.107.246.45
	Rob.Kuster@stonhard.com.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	zip file.zip	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	ACTION required to activate your account - bp Supplier Portal.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://docs.google.com/drawings/d/1gvM7ysnJ7zDcSUShXnPoiA6pG4cjDDn9uHRbivsGidA/preview?pli=1jjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZs	Get hash	malicious	Mamba2FA	Browse	13.107.246.45

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gep8sooakr.exe.log

Download File

Process:	C:\Users\user\Desktop\gEP8SOoakR.exe
File Type:	CSV text
Category:	modified
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\gEP8SOoakR.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	3423
Entropy (8bit):	4.925282229780145
Encrypted:	false
SSDEEP:	96:XWiA24IKTTXFZwvulZwcLCwjRSYHj8IWn:mi9iXPX99H8n
MD5:	134241D99B17EB93716F6E2AB3F3EBC1
SHA1:	59CFD80CFB28BE549409CCFFBEA34E2B625C7BE5
SHA-256:	766065F9921FE8E1D374AD628CB05A0A28A744358A5B38D6C3F924914AF0FF22
SHA-512:	400ED3FEE282432FE5E28664B16E79353747D2DEAB3032E6CAFBA5E9FD8A1DD04F3BBF0826DCBC510C04F9AECBB0DFA7EB2037F194CE62158FDC7A952F8A002F
Malicious:	false
Reputation:	low
Preview:	.::::::.:::. :::. :::. .-:::::'.-:::::'::: .,:::::: :::::::.. ..;;;` ``;;;;, `;;; ;;`;; ;;;'''' ;;;'''' ;;; ;;;;'''' ;;;;``;;;; ..'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[ [[cccc [[[,/[[[' .. ''' $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$' $$"" $$$$$$c .. 88b dP 888 Y88 888 888,888 888 o88oo,.__888oo,__ 888b '88bo,.. 'YMmMY' MMM YM YMM ''` 'MM, 'MM, ''''YUMMM''''YUMMMMMMM 'W' .. by l0ss and Sh3r4 - github.com/SnaffCon/Snaffler .......Usage:...-e, --timeout[optional]... Interval between status updates (in minutes) also acts as a timeout for AD data to be gathered via LDAP. Turn this knob up if you aren't getting any computers from AD when you run Snaffler through a proxy or other slow link. Default = 5 .....-z, --config[optional]... Path to a .toml config file. Run with 'generate' to puke a sample config file into the working directory. .....-o, --outfile[optional]... Path for output

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.768576563287834
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	gEP8SOoakR.exe
File size:	710'656 bytes
MD5:	1af918875c67d204941ec2c8a780e312
SHA1:	ce9e2ce0460d9536f863c4fc4042958207f0802a
SHA256:	3621c6a555e79fd6640b3073b245d4e3b225d7a73403e2529d13a82a2b228c7f
SHA512:	498420dc4c3e44496159c9491580924c6c3ecf0a71d360c03c747dd4852980aeeda2b55d13059c198877aecf2653e182af1453d81842c7c61e9c28e0a40fbf7a
SSDEEP:	12288:x/uVxEZsd6Rq8sQ1M7dKHB8u4EqcJDhJzuT6p4qd7DmHrE0S48v7:x/axEadkqbEzTxnp4qdfoE0a
TLSH:	C4E40132E36358F9C29AD23987C369A2E771FC290530387D56815A35BF7B960479EF02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...X..g...............$.........`..%..........@..........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001125
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670F8558 [Wed Oct 16 09:20:24 2024 UTC]
TLS Callbacks:	0x400163a0, 0x1, 0x4001645f, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e16254f44ddd98c690f5ad4d0a981e4a

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [000A2A25h]
mov dword ptr [eax], 00000000h
call 00007FE4FC6C4F73h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [ebp-08h], 00000000h
mov dword ptr [ebp-0Ch], 00000000h
dec eax
lea eax, dword ptr [ebp-000000C0h]
inc ecx
mov eax, 00000068h
mov edx, 00000000h
dec eax
mov ecx, eax
call 00007FE4FC6E0DADh
dec eax
mov eax, dword ptr [000A29D1h]
mov eax, dword ptr [eax]
test eax, eax
je 00007FE4FC6C4F75h
dec eax
lea eax, dword ptr [ebp-000000C0h]
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [000C60D6h]
call eax
dec eax
mov dword ptr [ebp-18h], 00000000h
mov dword ptr [ebp-24h], 00000030h
mov eax, dword ptr [ebp-24h]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-30h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-10h], 00000000h
jmp 00007FE4FC6C4F83h
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
cmp eax, dword ptr [ebp-20h]
jne 00007FE4FC6C4F6Bh
mov dword ptr [ebp-10h], 00000001h
jmp 00007FE4FC6C4FA7h
mov ecx, 000003E8h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xbe000	0x8226	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7000	0x900	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa6000	0xcd8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0x158	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa2f20	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc724c	0x210	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x21308	0x21400	697461e01ea78406b90f0c3f56dc54b5	False	0.4983626057330827	data	6.317912809044539	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x23000	0x170	0x200	499ad6b262ca2e8683e48cb01f36411f	False	0.203125	data	1.2750151770303946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x24000	0x80a80	0x80c00	19af8bda14eca7045e096ea8167cc840	False	0.9353837985436894	data	7.965105880061288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0xa5000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa6000	0xcd8	0xe00	e9fd6227820d1caa8f630a9567078d3f	False	0.45926339285714285	data	4.8752339858897455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0xa7000	0xdbc	0xe00	0d71a3ce1111cb21376017b8bcb0cd4f	False	0.2826450892857143	shared library	4.535733918192951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xa8000	0x15e20	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xbe000	0x8226	0x8400	8fa0892c1b7fd738d7fc722b628796da	False	0.3539003314393939	data	5.748512008657241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0xc7000	0x900	0xa00	f9096555bfa86aebf2337962d6c0ed43	False	0.325390625	data	3.944209218952523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xc8000	0x68	0x200	d8260c5c2386e113692c96907f8e5744	False	0.07421875	data	0.39026490088656424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xc9000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xca000	0x158	0x200	525a090b94176a23533a576afca74d54	False	0.53125	data	3.7955317654975613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte

msvcrt.dll

__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _commode, _errno, _fileno, _fmode, _initterm, _lock, _onexit, _setjmp, _setmode, _unlock, abort, calloc, exit, fflush, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memchr, memcpy, memset, signal, strcmp, strerror, strlen, strncmp, strstr, vfprintf, wcslen

Exports

Name	Ordinal	Address
AmIDebugged__76oader_1372	1	0x200000000
BaseThreadInitThunk__76oader_1592	2	0x200000000
CheckHardwareBreakPoints__76oader_1388	3	0x200000000
CreatedInterrupt__76oader_1416	4	0x200000000
CurrentAssembly__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZclr_20	5	0x1400b5e88
Dl_1023410185_	6	0x1400a8120
Dl_1023410187_	7	0x1400b6000
Dl_1023410194_	8	0x200000000
Dl_1023410203_	9	0x200000000
Dl_1056973869_	10	0x200000000
Dl_1342179610_	11	0x1400a8178
Dl_1342179648_	12	0x1400a8170
Dl_1342179665_	13	0x1400a8168
Dl_1342179856_	14	0x1400a8158
Dl_1342180241_	15	0x200000000
Dl_1342180301_	16	0x1400a8150
Dl_1342180314_	17	0x1400a8148
Dl_1342180339_	18	0x1400a8138
Dl_1342180341_	19	0x200000000
Dl_1342180365_	20	0x1400a8130
Dl_1342181099_	21	0x1400a8128
Dl_1342181994_	22	0x1400a8160
Dl_1342184270_	23	0x1400a8140
Dl_1375737445_	24	0x1400a8188
Dl_1375737893_	25	0x1400a8180
Dl_1862271172_	26	0x1400a8190
Dl_1862271258_	27	0x200000000
Dl_2113941776_	28	0x200000000
Dl_2113941788_	29	0x200000000
Dl_2113941820_	30	0x1400b5e28
Dl_2113941866_	31	0x1400b5e20
Dl_2113941903_	32	0x200000000
Dl_2113941905_	33	0x200000000
Dl_2113943166_	34	0x200000000
Dl_2113943836_	35	0x1400b5f60
Dl_2516586222_	36	0x1400a8198
Dl_2566914147_	37	0x200000000
Dl_2566914180_	38	0x200000000
Dl_2566914183_	39	0x200000000
Dl_436208173_	40	0x200000000
Dl_436208175_	41	0x200000000
Dl_452985033_	42	0x200000000
Dl_452986305_	43	0x200000000
Dl_452986337_	44	0x200000000
ETWExceptionHandler__76oader_1578	45	0x200000000
GetPPEB__76oader_359	46	0x200000000
GetSyscallStub__76oader_1023	47	0x200000000
Kernel32ThreadInitThunkFunction__76oader_1590	48	0x200000000
LPWSTRtoLowercase__76oader_294	49	0x200000000
MultiByteToWideChar__76oader_777	50	0x200000000
MyCloseHandle__76oader_773	51	0x200000000
MyCreateFileA__76oader_985	52	0x1400a8278
MyGetComputerNameExA__76oader_1439	53	0x200000000
MyGetCurrentProcessId__76oader_764	54	0x200000000
MyGetCurrentThreadId__76oader_775	55	0x200000000
MyGetDiskFreeSpaceExA__76oader_1441	56	0x200000000
MyGetFileSize__76oader_986	57	0x1400a8270
MyGetModuleHandleA__76oader_770	58	0x1400b5e08
MyGetProcAddress__76oader_768	59	0x1400b5df0
MyGetProcessHeap__76oader_767	60	0x1400a8288
MyGetThreadContext__76oader_771	61	0x200000000
MyGetTickCount__76oader_779	62	0x200000000
MyGlobalMemoryStatusEx__76oader_1440	63	0x200000000
MyLdrLoadDll__76oader_429	64	0x1400b5df8
MyOpenProcess__76oader_765	65	0x200000000
MyOpenThread__76oader_774	66	0x200000000
MyReadFile__76oader_988	67	0x1400a8260
MyRtlAddVectoredExceptionHandler__76oader_769	68	0x200000000
MyRtlAllocateHeap__76oader_987	69	0x1400a8268
MyRtlInitUnicodeString__76oader_284	70	0x1400b5e00
MySetThreadContext__76oader_772	71	0x200000000
MySleep__76oader_778	72	0x1400a8280
MyVirtualAllocEx__76oader_763	73	0x200000000
MyVirtualProtect__76oader_766	74	0x1400a8290
MyWaitForSingleObject__76oader_776	75	0x200000000
NTIarithmeticdefect__cT9c9bHlHSpA1QTnKbHjnIkA_	76	0x200000000
NTIarrayL48OO48_safearrayboundT__nKvO7wXZAsroXb0Wz9b7Rmw_	77	0x200000000
NTIarrayL48OO494957_uint5452T__wa4ExhM0I5D0wQQmyrXAHA_	78	0x200000000
NTIarrayL48OO5149_byteT__vEOa9c5qaE9ajWxR5R4zwfQg_	79	0x200000000
NTIbcgrmproc__7kPg4iIrFVxPW1SngAif2w_	80	0x200000000
NTIbool__VaVACK0bpYmqIQ0mKcHfQQ_	81	0x200000000
NTIbyte__k3HXouOuhqAKq0dx450lXQ_	82	0x200000000
NTIcatchableerror__qrLSDoe2oBoAqNtJ9badtnA_	83	0x200000000
NTIchar__nmiMWKVIe46vacnhAFrQvw_	84	0x200000000
NTIclrerror__PUxYufCPDbgUFMvFpPtSfQ_	85	0x1400b5e40
NTIcstring__S9agCYBinaYZnGWcjTdxclg_	86	0x200000000
NTIcy95struct49__ROud78kqeHjXYisn4jhtaw_	87	0x200000000
NTIcy__wDff8zKdhpvos9c7lBHUPSQ_	88	0x200000000
NTIdecimal95union4995struct49__79a7mES62JQ1oSE6vhkv3Mg_	89	0x200000000
NTIdecimal95union49__WGoXHqhEWH1qpRGdTEgBIQ_	90	0x200000000
NTIdecimal95union5095struct49__ndD9aJVbTCK7WcNNlcFDdRQ_	91	0x200000000
NTIdecimal95union50__AHLY3ntS3ifZxbjvCnrSYw_	92	0x200000000
NTIdecimal__7lwbcpbVYQOsyXq5rL9casA_	93	0x200000000
NTIdefect__LbeSGvgPzGzXnW9caIkJqMA_	94	0x200000000
NTIdouble__w9bl9a1ul9ctRJWiMl9cNnIMvg_	95	0x200000000
NTIecb__FqrsHsObEDvZPY9aUEY69aCA_	96	0x200000000
NTIexception__XEycrCsme5C8CVWAYEcdBQ_	97	0x200000000
NTIfloat__C875xFvYpI7aGybrDGHIaQ_	98	0x200000000
NTIhcryptprov__hMQEc0FMry7Up7EoPki79aA_	99	0x200000000
NTIidispatch__25afB9aQxduZVFt1Yu6YBbw_	100	0x200000000
NTIidispatchvtbl__m6cgE8u5k2W48yvpP0M9cVg_	101	0x200000000
NTIindexdefect__n6tGEPHKkh7E1AP9bj30WrQ_	102	0x200000000
NTIint__rR5Bzr1D5krxoo1NcNyeMA_	103	0x200000000
NTIint__xHTZrq9aYs6boc9bCba0JbpQ_	104	0x200000000
NTIioerror__iLZrPn9anoh9ad1MmO0RczFw_	105	0x1400a80e0
NTIirecordinfo__o7mu6JCMnDiOC4fiz5Cxtw_	106	0x200000000
NTIirecordinfovtbl__Rtoycx0FzRmTEejgGZss8w_	107	0x200000000
NTIiunknown__GaCOTm3fAeQng3LkqGK9cpw_	108	0x200000000
NTIiunknownvtbl__jF4R4hWZYkQD9a5uVek42vg_	109	0x200000000
NTIkeyvaluepair__2wauyaneUIEXFZnckdv0OQ_	110	0x200000000
NTIkeyvaluepairseq__QyuekR9bgDQj4oxD9cw0z4fw_	111	0x1400b5f80
NTIlong__sVg18TP9cLifHyygRe9cro9aA_	112	0x200000000
NTIlonglong__Aav8dQoMlCFnZRxA0IhTHQ_	113	0x200000000
NTImyntflushinstructioncache__3eV1XklMMklNDUIHDUNWNQ_	114	0x200000000
NTIobject__diB2NTuAIWY0FO9c5IUJRGg_	115	0x200000000
NTIobject__nftp7RTJl9bUkGnValdDrfQ_	116	0x1400a8220
NTIoverflowdefect__9cxMi1BPLc3UKt9br86bGfGQ_	117	0x200000000
NTIpointer__vr5DoT1jILTGdRlYv1OYpw_	118	0x200000000
NTIprocLself58ptridispatch_dispidmember58dispid_riid58refiid_lcid58lcid_wflags58word_pdispparams58ptrdispparams_pvarresult58ptrvariant_pexcepinfo58ptrexcepinfo_puargerr58ptruintT58hresultLOstdcallOT__HMTIlg0ibX9c3DUxZWiFDlg_	119	0x200000000
NTIprocLself58ptridispatch_itinfo58uint_lcid58lcid_pptinfo58ptrptritypeinfoT58hresultLOstdcallOT__PJRj0uRX50rVBId5wxoWWg_	120	0x200000000
NTIprocLself58ptridispatch_pctinfo58ptruintT58hresultLOstdcallOT__zezkKyqfMpGrdLXfsTMoKg_	121	0x200000000
NTIprocLself58ptridispatch_riid58refiid_rgsznames58ptrlpolestr_cnames58uint_lcid58lcid_rgdispid58ptrdispidT58hresultLOstdcallOT__vTmQiiZaMJLP5PVxP1nC6g_	122	0x200000000
NTIprocLself58ptrirecordinfoT58pvoidLOstdcallOT__tl4K6HbRH9akfWlpgfxzhhQ_	123	0x200000000
NTIprocLself58ptrirecordinfo_pbstrname58ptrbstrT58hresultLOstdcallOT__CiNRVOLKE0o4du7TW0veXA_	124	0x200000000
NTIprocLself58ptrirecordinfo_pcbsize58ptrulongT58hresultLOstdcallOT__9bUQLlQzyTYq9cn1PPQoncWg_	125	0x200000000
NTIprocLself58ptrirecordinfo_pcnames58ptrulong_rgbstrnames58ptrbstrT58hresultLOstdcallOT__3flVhatAuo2wDQ3pLqPtWw_	126	0x200000000
NTIprocLself58ptrirecordinfo_pguid58ptrguidT58hresultLOstdcallOT__szvo7XZUqIEvn15njypZnQ_	127	0x200000000
NTIprocLself58ptrirecordinfo_pptypeinfo58ptrptritypeinfoT58hresultLOstdcallOT__lgbxIcoFlqaRoc8l1J5x6A_	128	0x200000000
NTIprocLself58ptrirecordinfo_precordinfo58ptrirecordinfoT58winboolLOstdcallOT__UrLfbkx3jYpl8aTT7EGhew_	129	0x200000000
NTIprocLself58ptrirecordinfo_pvdata58pvoid_szfieldname58lpcolestr_pvarfield58ptrvariantT58hresultLOstdcallOT__a8wuVcgf8JFBdtyIlUvAGg_	130	0x200000000
NTIprocLself58ptrirecordinfo_pvdata58pvoid_szfieldname58lpcolestr_pvarfield58ptrvariant_ppvdatacarray58ptrpvoidT58hresultLOstdcallOT__V5FpwH0D4atxA49a8FYaWEg_	131	0x200000000
NTIprocLself58ptrirecordinfo_pvexisting58pvoid_pvnew58pvoidT58hresultLOstdcallOT__ZI1jobj8DmvwFnbiO6qPCg_	132	0x200000000
NTIprocLself58ptrirecordinfo_pvnew58pvoidT58hresultLOstdcallOT__79cx3unW0Z6BgDnOrcHfitQ_	133	0x200000000
NTIprocLself58ptrirecordinfo_pvsource58pvoid_ppvdest58ptrpvoidT58hresultLOstdcallOT__ymDIUs9akB6qYPB24WgIOaQ_	134	0x200000000
NTIprocLself58ptrirecordinfo_wflags58ulong_pvdata58pvoid_szfieldname58lpcolestr_pvarfield58ptrvariantT58hresultLOstdcallOT__LKhTenaIJkf6RxVNrDi3BA_	135	0x200000000
NTIprocLself58ptriunknownT58ulongLOstdcallOT__3MBg39aXrFJCcyBWUf6B79aQ_	136	0x200000000
NTIprocLself58ptriunknown_riid58refiid_ppvobject58ptrpointerT58hresultLOstdcallOT__9bWBI5aELdW2XHTbyYNjFXQ_	137	0x200000000
NTIprocLx58timeT58zonedtimeLOclosure_gcsafe_locks5848OT__7xnKxEC24cr3qZyj3gX32w_	138	0x200000000
NTIptrbstr__Pdw3MEiEie9cIIBXdRF4aZg_	139	0x200000000
NTIptrbyte__cG1a2XAxsP28AUq2q9aXnNg_	140	0x200000000
NTIptrchar__9b60r3P3z08159cCfYvgtoSg_	141	0x200000000
NTIptrcy__jXbtSxLfw0itmjWsMdWfNw_	142	0x200000000
NTIptrdecimal__tOyFM5VpR5CfoueNblK2NQ_	143	0x200000000
NTIptrdouble__dHulNBWhJTS79cd5h9cp4OHg_	144	0x200000000
NTIptrfloat__K9c5mNCKsxyPa9bhQF1Un42w_	145	0x200000000
NTIptridispatch__kYuJ1yXKaTDKM1gBNBYZMA_	146	0x200000000
NTIptridispatchvtbl__D2nH2Oqivmr8QTsU9aLjsOQ_	147	0x200000000
NTIptrirecordinfo__3WT32ZAg6wsc9ay7tyclJnQ_	148	0x200000000
NTIptrirecordinfovtbl__7VzmdWawVAQPByb1qFKRtA_	149	0x200000000
NTIptriunknown__UyU8VSOcMgg7fdJy7SxeGw_	150	0x200000000
NTIptriunknownvtbl__RE27JCE9bOJX1xy12IDcHnA_	151	0x200000000
NTIptrlong__9awHbpuyuG8AxbsaqeBLKDQ_	152	0x200000000
NTIptrlonglong__qTZjETMuYhaATb9arhin3WA_	153	0x200000000
NTIptrolechar__9arplNu1iE9bhlDxcL6A4PMw_	154	0x200000000
NTIptrptridispatch__9cAC89c2ntOozT6m3udvMQRQ_	155	0x200000000
NTIptrptriunknown__8MnBU5BrvTao0wsQ9alw3AQ_	156	0x200000000
NTIptrptrsafearray__SD30oco7TmqisM1c9brwQSg_	157	0x200000000
NTIptrsafearray__DTydpwcrqtIWM70d0MgBsw_	158	0x200000000
NTIptrshort__BjHmAJOH9agj4KRxOkanazQ_	159	0x200000000
NTIptrvariant__k5zDQ9aqJXQRCQNlOgs85Ow_	160	0x200000000
NTIqipcproc__BlBp9c2J7tRXTU9adX1vV5gQ_	161	0x200000000
NTIqpcproc__eV9b9cYSUZoo6tKaCd9b3k9bzA_	162	0x200000000
NTIquitproc__PD9b9cqhDqM6Xy1oSxwODsOQ_	163	0x200000000
NTIrefclrerror__FRS9cQbNhae5zCH8EuU1Jew_	164	0x200000000
NTIrefexception__vU9aO9cTqOMn6CBzhV8rX7Sw_	165	0x200000000
NTIrefindexdefect__RJnHOb9cQV3neNC9cDkRgMyw_	166	0x200000000
NTIrefioerror__HMIVdYjdZYWskTmTQVo5BQ_	167	0x1400a80a0
NTIrefobject__HsJiUUcO9cHBdUCi0HwkSTA_	168	0x200000000
NTIrefobject__PNpya69bg5jOKXuhnlj83NQ_	169	0x1400a81e0
NTIrefoverflowdefect__r8GBEWywN07B3Rat3azS4Q_	170	0x200000000
NTIrefreraisedefect__uG62cfJZ15c2siK3CKLmnQ_	171	0x200000000
NTIrefvalueerror__Ie1m0dv1ZHg72IgPRr1cDw_	172	0x1400b6060
NTIrefvariantconversionerror__sSrF5S0WQBiSGAvsVyZTJQ_	173	0x1400b5ee0
NTIreraisedefect__E0L0wGYS1gPD81VLstNO2g_	174	0x200000000
NTIrijndaelcontext__uzMEyYcUmtQ6HTVQxlfmCQ_	175	0x200000000
NTIrootobj__ytyiCJqK439aF9cIibuRVpAg_	176	0x200000000
NTIsafearray__DKskJgJKqdiGvU7qvx1u8A_	177	0x200000000
NTIsafearraybound__MAW7pPwMg9cUv0ZH0AE2pzQ_	178	0x200000000
NTIseqLbyteT__6H5Oh5UUvVCLiakt9aTwtUQ_	179	0x1400b5da0
NTIseqLstacktraceentryT__uB9b75OUPRENsBAu4AnoePA_	180	0x200000000
NTIseqLstringT__sM4lkSb7zS6F7OVMvW9cffQ_	181	0x1400b5fc0
NTIseqLvariantT__3a0Lf6u9aPn9bq0V0eQ07mtw_	182	0x200000000
NTIshort__kDPg4wXyR8DDyA0MeEjIsw_	183	0x200000000
NTIstacktraceentry__oLyohQ7O2XOvGnflOss8EA_	184	0x200000000
NTIstring__77mFvmsOLKik79ci2hXkHEg_	185	0x200000000
NTIsystemrng58objecttype__X9aKjcE9bDr41cpowCIZoGpQ_	186	0x200000000
NTIsystemrng__9aWCZSregXolmau8IgbwrpA_	187	0x200000000
NTItable__MyiXBZqHlwtVNEEvYnEmjg_	188	0x200000000
NTItableref__mmbDGmie1Vw3nGJ9cRqQG7w_	189	0x1400a81a0
NTItimezone58objecttype__F8OvqlxXyGXRSiK9c1fCDVw_	190	0x200000000
NTItimezone__9a5v4OQPlGqsA25ioN8hFYA_	191	0x200000000
NTIuint5150__JrFyJbYm9b5I4hJ9cWDqvfYA_	192	0x200000000
NTIuint5452__wMtfD88jmrPZwfzTH9c8e9cA_	193	0x200000000
NTIuncheckedarrayLutf4954charT__Tyd4y3haUOOHTj71TPIRag_	194	0x200000000
NTIvalueerror__yoNlBGx0D2tRizIdhQuENw_	195	0x1400b6020
NTIvariant58objecttype__FBSF3pWyJz9clqwLRXzZTsA_	196	0x200000000
NTIvariant95union4995struct4995union4995struct49__DtI9bsEAgJB3Tyh5MHrgkrw_	197	0x200000000
NTIvariant95union4995struct4995union49__DjJ9a9aNjdVJoA2NlSK7Lz7Q_	198	0x200000000
NTIvariant95union4995struct49__c8Wtv5nqLcM2jwvHc9cTY9bg_	199	0x200000000
NTIvariant95union49__Sr5LLwiwjGCKhbDlb25pAQ_	200	0x200000000
NTIvariant__UPxdF8T9b3GRPNZqBCwEDkw_	201	0x200000000
NTIvariant__VYnrN9cMJav8fTNB7Pu9bPZw_	202	0x1400b5f20
NTIvariantconversionerror__Y4pKacDNXcA9boOh7ryibHg_	203	0x1400b5ea0
NTIvartype__M4na42GvebBMnI5wV9cYMxg_	204	0x200000000
NTIwidecstringobj__4HwedE75WPfqZSQ0Cq2OUg_	205	0x200000000
NaturalToInt32__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZwinstr_49	206	0x200000000
NimMain	207	0x200000000
NimMainInner	208	0x200000000
NimMainModule	209	0x200000000
NtAllocateVirtualMemory__76oader_817	210	0x200000000
NtClose__76oader_800	211	0x200000000
NtCreateSection__76oader_898	212	0x200000000
NtCreateThreadEx__76oader_832	213	0x200000000
NtFreeVirtualMemory__76oader_936	214	0x200000000
NtMapViewOfSection__76oader_923	215	0x200000000
NtProtectVirtualMemory__76oader_879	216	0x200000000
NtReadVirtualMemory__76oader_951	217	0x200000000
NtWriteVirtualMemory__76oader_864	218	0x200000000
Null__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZclr_18	219	0x1400b5e90
OpenMoreMaxPIDProcess__76oader_1509	220	0x200000000
PreMain	221	0x200000000
PreMainInner	222	0x200000000
RVAtoRawOffset__76oader_989	223	0x200000000
Rcon__OOZOOZ85sersZnicksZOnimbleZpkgsZnimcrypto4548O54O48ZnimcryptoZrijndael_6	224	0x200000000
RuntimeHelp__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZclr_2248	225	0x200000000
SYSCALL_STUB_SIZE__76oader_793	226	0x200000000
SetupETWBreakpoints__76oader_3206	227	0x14000d570
SinkVtbl__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7125	228	0x200000000
Sink_AddRef__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7024	229	0x200000000
Sink_GetIDsOfNames__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7051	230	0x200000000
Sink_GetTypeInfoCount__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7040	231	0x200000000
Sink_GetTypeInfo__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7044	232	0x200000000
Sink_Invoke__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7060	233	0x200000000
Sink_QueryInterface__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7006	234	0x200000000
Sink_Release__OOZOOZ85sersZnicksZOnimbleZpkgsZwinim4551O57O50ZwinimZcom_7032	235	0x200000000
StartProcess__76oader_1782	236	0x200000000

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 26, 2024 06:26:21.691421986 CEST	1.1.1.1	192.168.2.5	0x4393	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 26, 2024 06:26:21.691421986 CEST	1.1.1.1	192.168.2.5	0x4393	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	00:26:05
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\gEP8SOoakR.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gEP8SOoakR.exe"
Imagebase:	0x7ff618640000
File size:	710'656 bytes
MD5 hash:	1AF918875C67D204941EC2C8A780E312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:26:05
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:26:07
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\gEP8SOoakR.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\gep8sooakr.exe 1028
Imagebase:	0x7ff618640000
File size:	710'656 bytes
MD5 hash:	1AF918875C67D204941EC2C8A780E312
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.4%
Total number of Nodes:	1705
Total number of Limit Nodes:	37

Executed Functions

Function 00007FF61864C240 Relevance: 137.4, APIs: 46, Strings: 31, Instructions: 2605memorysleepCOMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FF61864C3DE
memcpy.MSVCRT ref: 00007FF61864C4C3

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

GetProcessHeap.KERNEL32 ref: 00007FF61864CA71
GetProcessHeap.KERNEL32 ref: 00007FF61864CA7A
exit.MSVCRT ref: 00007FF61864CA96
exit.MSVCRT ref: 00007FF61864CAC2
GetTickCount.KERNEL32 ref: 00007FF61864CC8D
Sleep.KERNEL32 ref: 00007FF61864CC9A
SleepEx.KERNELBASE ref: 00007FF61864CCA0
exit.MSVCRT ref: 00007FF61864CCB1

Strings

CreateFileA, xrefs: 00007FF61864C9B4
LdrLoadDll, xrefs: 00007FF61864C6BE
RtlInitUnicodeString, xrefs: 00007FF61864C6EC
RtlAddVectoredExceptionHandler, xrefs: 00007FF61864C827
GetDiskFreeSpaceExA, xrefs: 00007FF61864CC7E
GetTickCount, xrefs: 00007FF61864C98E
OpenProcess, xrefs: 00007FF61864C7B6
Sleep, xrefs: 00007FF61864C968
GetProcessHeap, xrefs: 00007FF61864C7D5
GetCurrentThreadId, xrefs: 00007FF61864C90B
GetProcAddress, xrefs: 00007FF61864C7FB
SetThreadContext, xrefs: 00007FF61864C899
GetThreadContext, xrefs: 00007FF61864C873
MultiByteToWideChar, xrefs: 00007FF61864C949
GetComputerNameExA, xrefs: 00007FF61864CC40
GetFileSize, xrefs: 00007FF61864C9DA
,{lW, xrefs: 00007FF61864CFB0
GetModuleHandleA, xrefs: 00007FF61864C84D
,$6U, xrefs: 00007FF6186542E6
toVariant, xrefs: 00007FF618655C4B, 00007FF618655CFB, 00007FF618655E5F
VariantConversionError, xrefs: 00007FF618655B97, 00007FF618655C67, 00007FF618655DCF
VirtualProtect, xrefs: 00007FF61864C790
CloseHandle, xrefs: 00007FF61864C8BF
com.nim, xrefs: 00007FF618655C38, 00007FF618655CE5, 00007FF618655E4C
ReadFile, xrefs: 00007FF61864CA2E
p, xrefs: 00007FF618654638
WaitForSingleObject, xrefs: 00007FF61864C92A
RtlAllocateHeap, xrefs: 00007FF61864CA08
OpenThread, xrefs: 00007FF61864C8E5
GlobalMemoryStatusEx, xrefs: 00007FF61864CC5F
GetCurrentProcessId, xrefs: 00007FF61864C76A

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitmemcpy$ByteCharHeapMultiProcessSleepWide$CountTickVersion
String ID: ,$6U$,{lW$CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VariantConversionError$VirtualProtect$WaitForSingleObject$com.nim$p$toVariant
API String ID: 4036915570-2294705820
Opcode ID: 9ad1a70c879cd67fce42ef66dbeb6a700c76d28bf200cf5e95a7a85a14cfdae9
Instruction ID: 9c0f3513cb83aa3e4ee680be0ef3a9bae2c8db332dd3c05c8bb51f1e506becd4
Opcode Fuzzy Hash: 9ad1a70c879cd67fce42ef66dbeb6a700c76d28bf200cf5e95a7a85a14cfdae9
Instruction Fuzzy Hash: 56435B61A09F8681EB10DB25E8683BD63A1FF84FA0F444535DA5D8779ADF3CE504E388

Function 00007FF618641154 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF618641242
_initterm.MSVCRT ref: 00007FF618641277
_initterm.MSVCRT ref: 00007FF6186412AA
exit.MSVCRT ref: 00007FF61864145D
_cexit.MSVCRT ref: 00007FF61864146C

Strings

0, xrefs: 00007FF6186411B0

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: cd5f1854cfde108e582b60295d62e3ec039059220d8d68b3024adf7ac3627926
Instruction ID: b0f595149582cd307fd3e98c512ac78ff56565fd87b2458c0bdf45a073660d42
Opcode Fuzzy Hash: cd5f1854cfde108e582b60295d62e3ec039059220d8d68b3024adf7ac3627926
Instruction Fuzzy Hash: 3CA1D225B08F0689EB50CB76E89036C37A1AB44FA8F404075DE4DD77A5DE3CE581A798

Function 00007FF61864F6D0 Relevance: 4.9, APIs: 3, Instructions: 373
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF61864F7EA
ReadFile.KERNELBASE ref: 00007FF61864F850

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: fc99f619782d6e03273b2cb175ca60a22b8bb7caf5abc2e4a8bdbafcafb082da
Instruction ID: 1e9692be2bc0d9b73ca08cb50a414dc457c8ff36398d15aa65f8ae88bf74ab1d
Opcode Fuzzy Hash: fc99f619782d6e03273b2cb175ca60a22b8bb7caf5abc2e4a8bdbafcafb082da
Instruction Fuzzy Hash: 6BF1EF22A09AC185EB11CF3AA8543BE7BA1FB85F94F458036DE8D83795DE3CD145E350

Function 00007FF61865D9E0 Relevance: 293.3, APIs: 4, Strings: 162, Instructions: 2775
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6186420F0: GetProcAddress.KERNEL32 ref: 00007FF61864210E

Part of subcall function 00007FF6186420F0: exit.MSVCRT ref: 00007FF61864223F

signal.MSVCRT ref: 00007FF61865EF96
signal.MSVCRT ref: 00007FF61865EFA3
signal.MSVCRT ref: 00007FF61865EFB0
signal.MSVCRT ref: 00007FF61865EFC3

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

Strings

raw, xrefs: 00007FF61865DA88
llVal, xrefs: 00007FF61865E54A
hresult, xrefs: 00007FF61865DB14
cLocks, xrefs: 00007FF61865E243
plVal, xrefs: 00007FF61865E1B2
ppunkVal, xrefs: 00007FF618660682
pvarVal, xrefs: 00007FF6186607E5
pllVal, xrefs: 00007FF61865E191
GetModuleFileNameW, xrefs: 00007FF61865F545
dblVal, xrefs: 00007FF61865E4B1
RecordInit, xrefs: 00007FF61865DDBE
GetProcAddress, xrefs: 00007FF61865F324
AddRef, xrefs: 00007FF61865E352
SysFreeString, xrefs: 00007FF618661947
tProcess1, xrefs: 00007FF61865DB6A
:state, xrefs: 00007FF618661E0E
PutField, xrefs: 00007FF61865DD6D
signscale, xrefs: 00007FF61865DF8B
RecordDestroy, xrefs: 00007FF61865DD2D
pcVal, xrefs: 00007FF618660C9B
Thread32Next, xrefs: 00007FF618661A9A
GetThreadContext, xrefs: 00007FF61865F2A2
HeapCreate, xrefs: 00007FF61865F2BC
Lo32, xrefs: 00007FF61865DF35
parray, xrefs: 00007FF61865E2BF
GetField, xrefs: 00007FF618661232
data, xrefs: 00007FF618661B6A
VariantClear, xrefs: 00007FF618661993
WideCharToMultiByte, xrefs: 00007FF61865F1F7
coresCount, xrefs: 00007FF61865F85E
IsMatchingType, xrefs: 00007FF6186612B8
piVal, xrefs: 00007FF61865E1C2
procname, xrefs: 00007FF61865E749
name, xrefs: 00007FF61865DC13
SafeArrayPutElement, xrefs: 00007FF6186619FB
GetTypeInfo, xrefs: 00007FF61865DD89
SetConsoleCP, xrefs: 00007FF61865E858
pulVal, xrefs: 00007FF61865DEBB
ullVal, xrefs: 00007FF61865E07D
GetCurrentProcess, xrefs: 00007FF61865F38C
line, xrefs: 00007FF61865E734
cElements, xrefs: 00007FF61865E209
byref, xrefs: 00007FF61865E0F4
WaitForSingleObject, xrefs: 00007FF61865F3C0
cDims, xrefs: 00007FF61865E29A
NtFlushInstructionCache4, xrefs: 00007FF618661E21
pRecInfo, xrefs: 00007FF618661740
GetName, xrefs: 00007FF6186611A4
punkVal, xrefs: 00007FF61865E38F
queryUnbiasedInterruptTime, xrefs: 00007FF61865F77F
lVal, xrefs: 00007FF61865E525
cbElements, xrefs: 00007FF61865E260
InitializeProcThreadAttributeList, xrefs: 00007FF61865F33E
Field0, xrefs: 00007FF61865DAEC
pdispVal, xrefs: 00007FF61865E308
rgsabound, xrefs: 00007FF6186603EF
RecordClear, xrefs: 00007FF61865DDA5
pcyVal, xrefs: 00007FF618660636
cipher, xrefs: 00007FF618661FA4
ResumeThread, xrefs: 00007FF61865F3A6
MultiByteToWideChar, xrefs: 00007FF61865F23C
cyVal, xrefs: 00007FF61865E467
pboolVal, xrefs: 00007FF61865E168
pvData, xrefs: 00007FF61865E226
UpdateProcThreadAttribute, xrefs: 00007FF61865F358
filename, xrefs: 00007FF61865E71E
bVal, xrefs: 00007FF61865E508
lpVtbl, xrefs: 00007FF61865DDDA
HeapAlloc, xrefs: 00007FF61865F2D6
union2, xrefs: 00007FF618660C34
skey, xrefs: 00007FF61865F453
pbstrVal, xrefs: 00007FF618660642
Hi32, xrefs: 00007FF61865DF62
PutFieldNoCopy, xrefs: 00007FF61865DD55
pdecVal, xrefs: 00007FF618660C88
puiVal, xrefs: 00007FF61865DED8
ppdispVal, xrefs: 00007FF6186606D3
zonedTimeFromAdjTimeImpl, xrefs: 00007FF61865DC52
pvRecord, xrefs: 00007FF61865DE02
Lo64, xrefs: 00007FF61865DEF8
wReserved3, xrefs: 00007FF61865E583
GetGuid, xrefs: 00007FF61866114A
RecordCreate, xrefs: 00007FF6186613DD
lLbound, xrefs: 00007FF61865E1EC
lstrlenW, xrefs: 00007FF61865F256
scale, xrefs: 00007FF61865DFCD
QueryInterface, xrefs: 00007FF61865FDF4
intVal, xrefs: 00007FF61865E053
GetFieldNoCopy, xrefs: 00007FF618661255
GetProcessHeap, xrefs: 00007FF61865F2F0
iVal, xrefs: 00007FF61865E4EB
RecordCreateCopy, xrefs: 00007FF6186613FB
boolVal, xrefs: 00007FF61865E494
uiVal, xrefs: 00007FF61865E0BA
wReserved2, xrefs: 00007FF61865E5A4
pdate, xrefs: 00007FF61865E121
msg, xrefs: 00007FF61865E762
DispGetIDsOfNames, xrefs: 00007FF618661934
GetCommandLineW, xrefs: 00007FF61865F532
union1, xrefs: 00007FF61865DFFA
scode, xrefs: 00007FF61865E477
CreateToolhelp32Snapshot, xrefs: 00007FF618661A66
remoteProcID2, xrefs: 00007FF61865DB55
parent, xrefs: 00007FF61865E788
treadHandle3, xrefs: 00007FF61865DB35
wReserved1, xrefs: 00007FF61865E5C6
SafeArrayCreate, xrefs: 00007FF6186619E1
Mid32, xrefs: 00007FF61865DF08
GetIDsOfNames, xrefs: 00007FF61865FF98
sign, xrefs: 00007FF61865DFB0
bstrVal, xrefs: 00007FF61865E3A8
GetSize, xrefs: 00007FF6186611BF
pintVal, xrefs: 00007FF61865DE75
Invoke, xrefs: 00007FF6186600C7
GetTypeInfoCount, xrefs: 00007FF61865FF85
SysStringLen, xrefs: 00007FF61865F229
wReserved, xrefs: 00007FF61865E026
CoInitialize, xrefs: 00007FF618661980
IsEqualGUID, xrefs: 00007FF61865F1C5
fltVal, xrefs: 00007FF61865E4CE
GetCurrentThread, xrefs: 00007FF61865F28F
pullVal, xrefs: 00007FF61865DEA2
Thread32First, xrefs: 00007FF618661A80
OpenProcess, xrefs: 00007FF61866216A
hIntel, xrefs: 00007FF61865F901
zonedTimeFromTimeImpl, xrefs: 00007FF61865DC7B
decVal, xrefs: 00007FF61865DCFD
pbVal, xrefs: 00007FF6186604DF
Field2, xrefs: 00007FF618661AF7
cVal, xrefs: 00007FF61865E0D7
fFeatures, xrefs: 00007FF61865E27D
uintVal, xrefs: 00007FF61865E036
dctx6, xrefs: 00007FF618661FCD
int64, xrefs: 00007FF61865E3E5
SysAllocString, xrefs: 00007FF6186619C7
bCryptGenRandom, xrefs: 00007FF61865F73A
GetFieldNames, xrefs: 00007FF61866128A
GetForegroundWindow, xrefs: 00007FF61865F3F9
CLRCreateInstance, xrefs: 00007FF618661A34
queryProcessCycleTime, xrefs: 00007FF61865F752
Field1, xrefs: 00007FF61865DACB
trace, xrefs: 00007FF61865EA6C
RtlGetVersion, xrefs: 00007FF618662125
pscode, xrefs: 00007FF61865E139
Release, xrefs: 00007FF61865E33D
GetFileAttributesW, xrefs: 00007FF618662157
date, xrefs: 00007FF61865E3C8
SetConsoleOutputCP, xrefs: 00007FF61865E845
counter, xrefs: 00007FF61865DAB3
pfltVal, xrefs: 00007FF6186604F7
GetWindowThreadProcessId, xrefs: 00007FF61865F413
key5, xrefs: 00007FF618661F6E
CreateProcessW, xrefs: 00007FF61865F372
LoadLibraryA, xrefs: 00007FF61865F30A
RecordCopy, xrefs: 00007FF618661120
ulVal, xrefs: 00007FF61865E09D
queryIdleProcessorCycleTime, xrefs: 00007FF61865F830
pparray, xrefs: 00007FF618660704
struct1, xrefs: 00007FF61865DE1B
pdblVal, xrefs: 00007FF61865E181
VariantCopy, xrefs: 00007FF6186619AD
puintVal, xrefs: 00007FF61865DE5C

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: signal$memcpy$AddressProcexit
String ID: :state$AddRef$CLRCreateInstance$CoInitialize$CreateProcessW$CreateToolhelp32Snapshot$DispGetIDsOfNames$Field0$Field1$Field2$GetCommandLineW$GetCurrentProcess$GetCurrentThread$GetField$GetFieldNames$GetFieldNoCopy$GetFileAttributesW$GetForegroundWindow$GetGuid$GetIDsOfNames$GetModuleFileNameW$GetName$GetProcAddress$GetProcessHeap$GetSize$GetThreadContext$GetTypeInfo$GetTypeInfoCount$GetWindowThreadProcessId$HeapAlloc$HeapCreate$Hi32$InitializeProcThreadAttributeList$Invoke$IsEqualGUID$IsMatchingType$Lo32$Lo64$LoadLibraryA$Mid32$MultiByteToWideChar$NtFlushInstructionCache4$OpenProcess$PutField$PutFieldNoCopy$QueryInterface$RecordClear$RecordCopy$RecordCreate$RecordCreateCopy$RecordDestroy$RecordInit$Release$ResumeThread$RtlGetVersion$SafeArrayCreate$SafeArrayPutElement$SetConsoleCP$SetConsoleOutputCP$SysAllocString$SysFreeString$SysStringLen$Thread32First$Thread32Next$UpdateProcThreadAttribute$VariantClear$VariantCopy$WaitForSingleObject$WideCharToMultiByte$bCryptGenRandom$bVal$boolVal$bstrVal$byref$cDims$cElements$cLocks$cVal$cbElements$cipher$coresCount$counter$cyVal$data$date$dblVal$dctx6$decVal$fFeatures$filename$fltVal$hIntel$hresult$iVal$int64$intVal$key5$lLbound$lVal$line$llVal$lpVtbl$lstrlenW$msg$name$pRecInfo$parent$parray$pbVal$pboolVal$pbstrVal$pcVal$pcyVal$pdate$pdblVal$pdecVal$pdispVal$pfltVal$piVal$pintVal$plVal$pllVal$pparray$ppdispVal$ppunkVal$procname$pscode$puiVal$puintVal$pulVal$pullVal$punkVal$pvData$pvRecord$pvarVal$queryIdleProcessorCycleTime$queryProcessCycleTime$queryUnbiasedInterruptTime$raw$remoteProcID2$rgsabound$scale$scode$sign$signscale$skey$struct1$tProcess1$trace$treadHandle3$uiVal$uintVal$ulVal$ullVal$union1$union2$wReserved$wReserved1$wReserved2$wReserved3$zonedTimeFromAdjTimeImpl$zonedTimeFromTimeImpl
API String ID: 1418167214-113516584
Opcode ID: d47488d9ee190774b649e4c390b96226bbdbc17827aeb9eca4f7ffb4d63aa4df
Instruction ID: 554a51feb9eeb01c70336332dbbe2f894c7b6adc596a80c6cfaec3c5fd1d7a15
Opcode Fuzzy Hash: d47488d9ee190774b649e4c390b96226bbdbc17827aeb9eca4f7ffb4d63aa4df
Instruction Fuzzy Hash: AA930E21C1CED295F7128B38A4653F573A1AFA1B28F005335C98C96665EF7EF149E388

Function 00007FF618648C30 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fileno.MSVCRT ref: 00007FF618648C4D
_setmode.MSVCRT ref: 00007FF618648C5E
_fileno.MSVCRT ref: 00007FF618648C6A
_setmode.MSVCRT ref: 00007FF618648C74
_fileno.MSVCRT ref: 00007FF618648C80
_setmode.MSVCRT ref: 00007FF618648C8A
SetConsoleOutputCP.KERNEL32 ref: 00007FF618648C91
SetConsoleCP.KERNEL32 ref: 00007FF618648C9C
LoadLibraryA.KERNEL32 ref: 00007FF618648CA9
GetProcAddress.KERNEL32 ref: 00007FF618648CBE
CoInitialize.OLE32 ref: 00007FF618648E5B

Strings

Ws2_32.dll, xrefs: 00007FF618648CA2
inet_ntop, xrefs: 00007FF618648CB7

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _fileno_setmode$Console$AddressInitializeLibraryLoadOutputProc
String ID: Ws2_32.dll$inet_ntop
API String ID: 1755878316-2739477577
Opcode ID: e5f69b7beea4d2e17986bbdfd9c329ef1c06748a6842980b7fc6a90759a69aee
Instruction ID: 864431bc3caf7dbc7822a435dff43cc953624673271bf1beb103368e20c25648
Opcode Fuzzy Hash: e5f69b7beea4d2e17986bbdfd9c329ef1c06748a6842980b7fc6a90759a69aee
Instruction Fuzzy Hash: 96913731A19F1681EB449B64F82837C67A1FB94FA0F840135DA8D83794DF7CE855E788

Function 00007FF618642260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF618641DB0: strlen.MSVCRT ref: 00007FF618641DC1
Part of subcall function 00007FF618641DB0: fwrite.MSVCRT ref: 00007FF618641DD4

exit.MSVCRT(?,?,?,?,00007FF618642365,?,?,?,?,00007FF6186F6128,?,3F000000,0000023B7B218060,00007FF618642D1D), ref: 00007FF618642283
VirtualAlloc.KERNEL32 ref: 00007FF618642313
VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Strings

out of memory, xrefs: 00007FF61864226F

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual$exitfwritestrlen
String ID: out of memory
API String ID: 4248889879-49810860
Opcode ID: 572b70c8746dd87391455c9951a549d2fe058ef75a72fd209dbd6540cf9ebad6
Instruction ID: 4101c6b4d47ea2220483c63e6e0d2144e11eccfb5b26fe57d0494d387376e551
Opcode Fuzzy Hash: 572b70c8746dd87391455c9951a549d2fe058ef75a72fd209dbd6540cf9ebad6
Instruction Fuzzy Hash: 5E218932B05F8182EB188B29E5583AEA7A0E748BE0F548235CB6D873C1CF3DE495D344

Function 00007FF618642290 Relevance: 3.9, APIs: 3, Instructions: 153
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF618642313
VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d291759a0de0c79898f6dbac63395a54edfacf35a98a0a029e5f5d299916318c
Instruction ID: 2f70b944df992ffb1371c0cca6f670507ffda02558da083a2d958fe8d24f6050
Opcode Fuzzy Hash: d291759a0de0c79898f6dbac63395a54edfacf35a98a0a029e5f5d299916318c
Instruction Fuzzy Hash: E8519E32705B8580EB198B29E4683AD67A0EB89FE4F688135DE5D8B3C5DF39E085D344

Function 00007FF61864BB80 Relevance: 3.9, APIs: 3, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF61864BC81
memcpy.MSVCRT ref: 00007FF61864BCA2
memcpy.MSVCRT ref: 00007FF61864BD8F

Part of subcall function 00007FF618643F10: memset.MSVCRT ref: 00007FF618643FA2

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 3b4c29ced6fc8eeeec82797927dfcd0c7633041d78cfa8070d8ed1b799edb56f
Instruction ID: 46969cec201093a4b8882caac8b36324a50f65ccc6ef379bbc8e328f9a740e8b
Opcode Fuzzy Hash: 3b4c29ced6fc8eeeec82797927dfcd0c7633041d78cfa8070d8ed1b799edb56f
Instruction Fuzzy Hash: E351AC72609F8582EB60DB65E4503AD77A0FB84F98F858532DA8C87795EF3CD408D384

Function 00007FF618645B50 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF618645C93

Strings

ReraiseDefect, xrefs: 00007FF618645BB0

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: ReraiseDefect
API String ID: 3510742995-3378185472
Opcode ID: 3d8b739972ca8e438c50810a4c5b3cc62ed4dd1843d6bc16f41e52db819bbd6b
Instruction ID: 2b83dc9c2756f8405541835e8a65b5133f6bb17ca8e55686c59d7b2bd7bf20e4
Opcode Fuzzy Hash: 3d8b739972ca8e438c50810a4c5b3cc62ed4dd1843d6bc16f41e52db819bbd6b
Instruction Fuzzy Hash: 28310092E09E8681EF049B6480153FE6361AF85FA8F84C336EE1C877D5DE2DE0419384

Function 00007FF618652AF0 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputc.MSVCRT ref: 00007FF618652B3B
fputc.MSVCRT ref: 00007FF618652BB2

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 976687d18dcbde25fb2f27b54ea2ace063131402e174eac00e8739f934d84b60
Instruction ID: 5e34e31fe80273933e8485c10af91263ba096884cb204f70d71a6e709634a9e5
Opcode Fuzzy Hash: 976687d18dcbde25fb2f27b54ea2ace063131402e174eac00e8739f934d84b60
Instruction Fuzzy Hash: 6B21AD91F08F4659FB245E3199A13B99742AF54FE8F480435ED4DC7397EE2CE044A2C8

Function 00007FF618657A84 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF618657ADE

Strings

(null), xrefs: 00007FF618657A9B

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: strlen
String ID: (null)
API String ID: 39653677-3941151225
Opcode ID: 60a14fea7312a30a1871a09b9c8ad1655b03cd16810d8fc01ab3535e0c4490f3
Instruction ID: 729672d1cb0267ab0bb7c0a98f57e1a7630d8075dbcf27bb5b941b5c6cb78c7d
Opcode Fuzzy Hash: 60a14fea7312a30a1871a09b9c8ad1655b03cd16810d8fc01ab3535e0c4490f3
Instruction Fuzzy Hash: 5E01DA62A04B458ED700DF36D8812A827A4FB98FE8F004935EA1CC7B9ADF38D56193D4

Function 00007FF618642370 Relevance: 2.6, APIs: 2, Instructions: 149
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c860b48c35a084a74044e7cd34d00d18a6d3e2b853acf56c531b6c1780ca4de8
Instruction ID: 526f7d5f4271846ed2cf437e98c257e43d4d5a4b2829445c42f588c5959ee3c6
Opcode Fuzzy Hash: c860b48c35a084a74044e7cd34d00d18a6d3e2b853acf56c531b6c1780ca4de8
Instruction Fuzzy Hash: 02517F72706F8580EF199B25D8683AD27A1EB94FD4F688536DE0D4B384EE39E441D344

Function 00007FF618657900 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputc.MSVCRT ref: 00007FF61865794E

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 504284c848961401c03dab208bcdb2fd3e9e69f166b779f959cc6528fe2ed3ec
Instruction ID: 99fb568d792e71f05de70d8efb6c90a9f1095987c70d15b936131f5e16ba8f11
Opcode Fuzzy Hash: 504284c848961401c03dab208bcdb2fd3e9e69f166b779f959cc6528fe2ed3ec
Instruction Fuzzy Hash: 0211ECB7A04B558ADB10CF3AC48259C3BB1E798FD4B048521EE1C87769DA38D8A1C7D4

Function 00007FF618652BF0 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF618652AF0: fputc.MSVCRT ref: 00007FF618652B3B

fwrite.MSVCRT ref: 00007FF618652C2F

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fputcfwrite
String ID:
API String ID: 1748715138-0
Opcode ID: 7e5f3e22f6477dcc98f07a37a3c497c4555276e6af354cbcff0d8c90c18582ba
Instruction ID: c5e03ad5a61781b9ee626a2a381c79d2ac46752a89ba00f2ae2cd622fb4e4ac3
Opcode Fuzzy Hash: 7e5f3e22f6477dcc98f07a37a3c497c4555276e6af354cbcff0d8c90c18582ba
Instruction Fuzzy Hash: DAE04F20B0994145E704A372BC553B92211AB5DFE4F980034DD1ED73C7DC5E95C1E389

Function 00007FF618642EA0 Relevance: 1.4, APIs: 1, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF618642FB1

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 321835cd96ba8efe0387975720fab5ce3dd7b1d947ab60ff2c82da5e989755bf
Instruction ID: 8d15e2b8716389fc2c1176eb5a4d467be44704e8015ca64d6d5ef8829de05730
Opcode Fuzzy Hash: 321835cd96ba8efe0387975720fab5ce3dd7b1d947ab60ff2c82da5e989755bf
Instruction Fuzzy Hash: 4B61CD72A05F4290EB198B25E5143AD63A0FF84FA4F288235DA5D87798EF38E4D0D394

Function 00007FF618643F10 Relevance: 1.3, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF618643FA2

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2174c3a5885be39917ec11d46805d78a43f914ca332ddcd8c608c9838d273810
Instruction ID: 05fc0dd66cacc1dfc6aff751a3974e786029c3328441cdbd6d044bea2aeb5488
Opcode Fuzzy Hash: 2174c3a5885be39917ec11d46805d78a43f914ca332ddcd8c608c9838d273810
Instruction Fuzzy Hash: 15412AB6A08E4690EB44CF75D6606BC7365EB98FB0F940233DA1D83790DF39D8999384

Non-executed Functions

Function 00007FF61864D570 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 334threadlibraryloaderCOMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF61864D5B8
memset.MSVCRT ref: 00007FF61864D5C9
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61864D62D
Thread32First.KERNEL32 ref: 00007FF61864D697
GetCurrentProcessId.KERNEL32 ref: 00007FF61864D6B3

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

CloseHandle.KERNEL32 ref: 00007FF61864D6DE
OpenThread.KERNEL32 ref: 00007FF61864D70C
GetThreadContext.KERNEL32 ref: 00007FF61864D724
SetThreadContext.KERNEL32 ref: 00007FF61864D778
CloseHandle.KERNEL32 ref: 00007FF61864D7A1
GetModuleHandleA.KERNEL32 ref: 00007FF61864D7E6
GetModuleHandleA.KERNEL32 ref: 00007FF61864D9A7
GetProcAddress.KERNEL32 ref: 00007FF61864D9FF
RtlInitUnicodeString.NTDLL ref: 00007FF61864DA9E
LdrLoadDll.NTDLL ref: 00007FF61864DAAE

Strings

D|u, xrefs: 00007FF61864D982

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: Handle$Thread$ByteCharCloseContextModuleMultiWidememcpy$AddressCreateCurrentExceptionFirstHandlerInitLoadOpenProcProcessSnapshotStringThread32Toolhelp32UnicodeVectoredmemset
String ID: D|u
API String ID: 3395284975-2768058641
Opcode ID: 891aaf5d3fad9ee332ba8d6d8aa4939c2175d9e8edaee7be07ad7d3c740c9309
Instruction ID: 1af051be9ba5f83094cf2cae80e73c08b0ce6060a4307d2cab30ac11fcacb8b3
Opcode Fuzzy Hash: 891aaf5d3fad9ee332ba8d6d8aa4939c2175d9e8edaee7be07ad7d3c740c9309
Instruction Fuzzy Hash: BCE18061E0DE8282EB149B71E4243BE6792AFE1FA4F444035DA4D87789DF7CE405E398

Function 00007FF618650460 Relevance: 19.5, APIs: 11, Strings: 1, Instructions: 1506COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF6186518F8

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 29826dee93601c698e02eefa80bc21faf82cf4e88beceff3dc40afeec444d213
Instruction ID: bdeaa9813366ad36a47fd89389a3ec67e0612b2128c0163cbe2186b7397b3c40
Opcode Fuzzy Hash: 29826dee93601c698e02eefa80bc21faf82cf4e88beceff3dc40afeec444d213
Instruction Fuzzy Hash: 42E2B0B2A05F4682EF549B25C0487B93366FB40FE4F859536CA2D8B386DF78E490D385

Function 00007FF618652CA0 Relevance: 14.6, APIs: 5, Strings: 3, Instructions: 593COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF618652D17
_setjmp.MSVCRT ref: 00007FF618652DD3
_setjmp.MSVCRT ref: 00007FF618652E36
_setjmp.MSVCRT ref: 00007FF618652F9D

Strings

unable t, xrefs: 00007FF6186532CD
o get ru, xrefs: 00007FF6186532D7
ntime of, xrefs: 00007FF6186532FB

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmp
String ID: ntime of$o get ru$unable t
API String ID: 3051281561-3332830050
Opcode ID: 801bcd6618d348d0d48273dd658ae449c06088d2ea006600bb12a2a67b10bcbd
Instruction ID: 6a351d41a6e2384d4f47e5c229c050608aa27b95d4cb4e4b1fca237086930b0c
Opcode Fuzzy Hash: 801bcd6618d348d0d48273dd658ae449c06088d2ea006600bb12a2a67b10bcbd
Instruction Fuzzy Hash: 56523876A08F4681EB11CF2AE9503AA73A1FB85FA4F408132DA4D877A5EF3CD444D784

Function 00007FF61865A58A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON

Download Yara Rule

Strings

NaN, xrefs: 00007FF61865A6BE
Infinity, xrefs: 00007FF61865A68D

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: 8eb6e90b40a522c83c16ab071c1b9b5d385b7e3e3b03d292f8c2849d7fb58425
Instruction ID: 01bbd536fc90f56a09a3432b00703ef2b9dac2911fef451fbda7bff293bc5a46
Opcode Fuzzy Hash: 8eb6e90b40a522c83c16ab071c1b9b5d385b7e3e3b03d292f8c2849d7fb58425
Instruction Fuzzy Hash: 1EE21B32A04B858EE751CF79C4453AD37A1FB45BACF108225EA0D97B5ADF38E481DB84

Function 00007FF618646970 Relevance: 4.2, Strings: 2, Instructions: 1713COMMON

Download Yara Rule

Strings

, xrefs: 00007FF618646D1D
@, xrefs: 00007FF618647936

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memset
String ID: $@
API String ID: 2221118986-1077428164
Opcode ID: 13095dfd6ba0f7c0424704935cd0f62bc7e6940c9fd3d043ab4de0aeeb535895
Instruction ID: faf4a577fa2a49647fd95749b47b7f35dd48c51e643923878c95caa40d99bed5
Opcode Fuzzy Hash: 13095dfd6ba0f7c0424704935cd0f62bc7e6940c9fd3d043ab4de0aeeb535895
Instruction Fuzzy Hash: 37D224A2718B9442FF10CBB1A9217ABA691FB98BD4F08A531EF9D57B49CE3CD501D340

Function 00007FF61864E7F0 Relevance: 3.2, Strings: 2, Instructions: 657COMMON

Download Yara Rule

Strings

"""""""", xrefs: 00007FF61864F244
DDDDDDDD, xrefs: 00007FF61864F257

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: """"""""$DDDDDDDD
API String ID: 0-1621327129
Opcode ID: b82ce2f4609bb53dc7f34ad5cedf9ba7fb6b3b45cd4dfa7873e0e52ba1bb3d2f
Instruction ID: fe7ff751ab4165cbb3ee07afc59c5f080c6990b07d785057a3f8ccfe5439375b
Opcode Fuzzy Hash: b82ce2f4609bb53dc7f34ad5cedf9ba7fb6b3b45cd4dfa7873e0e52ba1bb3d2f
Instruction Fuzzy Hash: 4C425062718BD485E760CFA1B92179BB7A1F789BD4F04A226DE8C67F18DB3CD0518B04

Function 00007FF618644A80 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF618644A9E
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00007FF618644ABC, 00007FF618644D26

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$c
API String ID: 0-131350621
Opcode ID: b0f27cf25af07b8383b1ffa34ff7c3a2ffe019ecf41ebd58f2b556fdfcf10548
Instruction ID: b877afe55bf308bc7a1cb28d04487f1d22f6518b330825161f526763b2b2d1a9
Opcode Fuzzy Hash: b0f27cf25af07b8383b1ffa34ff7c3a2ffe019ecf41ebd58f2b556fdfcf10548
Instruction Fuzzy Hash: E9C1A2A2B15A4A46EF608B29A8423BD6251EB98FB4F148331DF3D873D4EE3CE544D344

Function 00007FF618646760 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

33333333, xrefs: 00007FF618646828
UUUUUUUU, xrefs: 00007FF618646772

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: 33333333$UUUUUUUU
API String ID: 0-3483174168
Opcode ID: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
Instruction ID: ce635fbe03f273c4060d4f95008f9c0126ce9dda3d0ee2486fa34e039c3354eb
Opcode Fuzzy Hash: 441117c694ab834bf65894c7cf1b76a728a697286da176495cad2e6614abf1fb
Instruction Fuzzy Hash: 7D41C3E3B70BB895EA01CF559905AD56761F314FE8A19E026DF0E3BB0EC638DA47C241

Function 00007FF61864B420 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714a5fb3d47062bea9f9d64224d3524031238b0c8af0a1b32fa3bc957e744aa
Instruction ID: 32641a185d426d658a4cb74f74d4aa71ded881b12cba47820ad1e639b0cc8cf5
Opcode Fuzzy Hash: 3714a5fb3d47062bea9f9d64224d3524031238b0c8af0a1b32fa3bc957e744aa
Instruction Fuzzy Hash: 17023953F74FD540F713477CA802EA4AA009BB77F4B19A301FD62A2BE3DA5297178A44

Function 00007FF6186FCED8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07b2d952290f387382cc2f5e79bacd254f290a86a9c4c19ba8e67e474d8b6b4
Instruction ID: 0758d3a5e5a8b5820bb402352e5ae51da366cbd56ed85a60f963719d4c0bd75f
Opcode Fuzzy Hash: b07b2d952290f387382cc2f5e79bacd254f290a86a9c4c19ba8e67e474d8b6b4
Instruction Fuzzy Hash: BFF0FE97D4EFD25AF3474A342C242182F905B92A20F4D41B7C6D8D27D7D90D99059355

Function 00007FF6186FCEE8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16a24acacea60a84a0becf7496c6c670920c21d38291318871b6924ec32608f
Instruction ID: 0d9e07492d293c1c24429e2c30c26ab9ba3d0326444f48163ccce00038a83bb4
Opcode Fuzzy Hash: c16a24acacea60a84a0becf7496c6c670920c21d38291318871b6924ec32608f
Instruction Fuzzy Hash: 24F0A597D4EBE21AE3031A342C3401C2FA05BA3D20B8E81B7C7D8C36D7990C9C08D366

Function 00007FF6186499F0 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 373COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF618649ABC
SysFreeString.OLEAUT32 ref: 00007FF618649ADC
CoInitialize.OLE32 ref: 00007FF618649B18
VariantCopy.OLEAUT32 ref: 00007FF618649B65
_setjmp.MSVCRT ref: 00007FF618649C04

Strings

d except, xrefs: 00007FF618649F05
uncatche, xrefs: 00007FF618649EFB
hander:, xrefs: 00007FF618649F16
ion insi, xrefs: 00007FF618649F24
VariantConversionError, xrefs: 00007FF618649CE4, 00007FF618649D5E
de event, xrefs: 00007FF618649F32
newVariant, xrefs: 00007FF618649D4B
com.nim, xrefs: 00007FF618649D44

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: String$CopyFreeInitializeVariant_setjmp
String ID: hander:$VariantConversionError$com.nim$d except$de event$ion insi$newVariant$uncatche
API String ID: 1008739868-602244300
Opcode ID: c23ee155f59d934d9a68fdb77470885bf1cb3e8d75ddbd0a88825e00950ca865
Instruction ID: 0cd3d0b5c92a97d2121a2b727fc533c7270522da7f27bd0e957dafbcf760aea3
Opcode Fuzzy Hash: c23ee155f59d934d9a68fdb77470885bf1cb3e8d75ddbd0a88825e00950ca865
Instruction Fuzzy Hash: 95024672A09F4681EB108F25E4A43AE77A1FB94FA4F444136DA4D877A9DF3CE444E384

Function 00007FF6186483F0 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 224COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF618648412

Strings

paramStr, xrefs: 00007FF6186485A4
os.nim, xrefs: 00007FF61864858E
not in , xrefs: 00007FF618648734
er is em, xrefs: 00007FF618648545
pty, xrefs: 00007FF618648557
t of bou, xrefs: 00007FF618648504
inde, xrefs: 00007FF6186487A7
nds, the, xrefs: 00007FF618648537
0 .., xrefs: 00007FF6186487B7
not in , xrefs: 00007FF618648672
IndexDefect, xrefs: 00007FF6186484C7
index ou, xrefs: 00007FF61864850E
not in , xrefs: 00007FF618648776
contain, xrefs: 00007FF618648529
0 .., xrefs: 00007FF61864868B

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: CommandLine
String ID: contain$ not in $ not in $ not in $0 ..$0 ..$IndexDefect$er is em$inde$index ou$nds, the$os.nim$paramStr$pty$t of bou
API String ID: 3253501508-475797482
Opcode ID: 74122c24c0382604b01f4cff30d2f2a8460fd49ea4f5a06927617e3ba1fdba9b
Instruction ID: 66895255228c2b87f98095e921e41864ea209a74a888ce1f8b155334a2f0207b
Opcode Fuzzy Hash: 74122c24c0382604b01f4cff30d2f2a8460fd49ea4f5a06927617e3ba1fdba9b
Instruction Fuzzy Hash: 29A19532A09F4280EB048F25E96436D7BA5FB94FA4F448036DA5C87395EF3CE554E388

Function 00007FF61864A740 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

SysAllocString.OLEAUT32 ref: 00007FF61864A77F
_setjmp.MSVCRT ref: 00007FF61864A7D6
CoInitialize.OLE32 ref: 00007FF61864A8BB
SysFreeString.OLEAUT32 ref: 00007FF61864A946
memcpy.MSVCRT ref: 00007FF61864AA0C
CoInitialize.OLE32 ref: 00007FF61864AA43
SafeArrayCreate.OLEAUT32 ref: 00007FF61864AAC9
SafeArrayPutElement.OLEAUT32 ref: 00007FF61864AAFA

Strings

toVariant, xrefs: 00007FF61864ACCE
o invoke, xrefs: 00007FF61864A97F
ed membe, xrefs: 00007FF61864A9D1
unable t, xrefs: 00007FF61864A9B5
VariantConversionError, xrefs: 00007FF61864AC66, 00007FF61864ACE1
r: , xrefs: 00007FF61864A9F6
com.nim, xrefs: 00007FF61864ACC7
specifi, xrefs: 00007FF61864A9C3

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ArrayByteCharInitializeMultiSafeStringWide$AllocCreateElementFree_setjmpmemcpy
String ID: specifi$VariantConversionError$com.nim$ed membe$o invoke$r: $toVariant$unable t
API String ID: 4234589578-1707675
Opcode ID: df58db6be012ea270ca5ee00f32570b053bba1f68944712e992e1bbd43113879
Instruction ID: 614af9e660fa2ae3b09c696be37adc0d243dcbc001854506f409226d34ca3a12
Opcode Fuzzy Hash: df58db6be012ea270ca5ee00f32570b053bba1f68944712e992e1bbd43113879
Instruction Fuzzy Hash: 73F16D32A09F8691EB208B25F4A43AE73A0FB94F90F544139DA8D87795DF7CD444D788

Function 00007FF618645110 Relevance: 27.5, APIs: 8, Strings: 10, Instructions: 466stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186451DB
strlen.MSVCRT ref: 00007FF61864521E

Strings

on: , xrefs: 00007FF61864517A
[[rerais, xrefs: 00007FF618645778
]], xrefs: 00007FF618645758
ed from:, xrefs: 00007FF618645782
Error: u, xrefs: 00007FF618645181
excepti, xrefs: 00007FF618645170
sysFatal, xrefs: 00007FF61864511A
fatal.nim, xrefs: 00007FF618645119
nhandled, xrefs: 00007FF61864518B
ReraiseDefect, xrefs: 00007FF618645114

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpystrlen
String ID: excepti$Error: u$ReraiseDefect$[[rerais$]]$ed from:$fatal.nim$nhandled$on: $sysFatal
API String ID: 3412268980-331123295
Opcode ID: 2d776e0bb831010b6c225a9819933063bf9a0751903a23d9f7593caf53276d09
Instruction ID: 4ab4dad60c1c2699074dfccf92049197714798baa4b46cdeb3629adad1501c31
Opcode Fuzzy Hash: 2d776e0bb831010b6c225a9819933063bf9a0751903a23d9f7593caf53276d09
Instruction Fuzzy Hash: B522CD72A09F4281EB109F25E4587AE27A5FB85FA0F844136EE5C87B95DF3CE444E384

Function 00007FF618649280 Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 193COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186494E4
memcpy.MSVCRT ref: 00007FF618649526

Strings

VT_ARRAY, xrefs: 00007FF6186492CD
VT_ARRAY, xrefs: 00007FF6186495A0
VED|, xrefs: 00007FF618649445
H, xrefs: 00007FF6186492FD
VT_VECTO, xrefs: 00007FF6186493D0
VT_BYREF, xrefs: 00007FF618649398
VT_ARRAY, xrefs: 00007FF6186494BA
VT_RESER, xrefs: 00007FF618649428

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: H$VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
API String ID: 3510742995-1705348919
Opcode ID: a86182c4fd8834cc737c5c4e5302b065617498eade09615eae6dd8b407819b28
Instruction ID: eb9c66d3e65cf35ca8652c1f5ad5bd82d358f8b314dd59c4fb98ab6ef9031734
Opcode Fuzzy Hash: a86182c4fd8834cc737c5c4e5302b065617498eade09615eae6dd8b407819b28
Instruction Fuzzy Hash: A5818932A09F4681EB119B25E4543AD63A4FB94FA4F998132DF4D873A5EE3CD444E388

Function 00007FF618652790 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 167COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186528EB
memcpy.MSVCRT ref: 00007FF6186529AB

Strings

CLRError, xrefs: 00007FF618652796
strformat.nim, xrefs: 00007FF618652931
rse:, xrefs: 00007FF6186528CC
format s, xrefs: 00007FF61865288F
ValueError, xrefs: 00007FF61865281B
tring, c, xrefs: 00007FF6186528A0
parseStandardFormatSpecifier, xrefs: 00007FF618652947
invalid , xrefs: 00007FF618652885
annot pa, xrefs: 00007FF6186528AE

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: CLRError$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
API String ID: 3510742995-153200016
Opcode ID: 4fade999f713cb9291008e8e771ea4e4e06678c9c79d51e3a30987be5e6c63ac
Instruction ID: 8329354af60eb2d2427efe18ee3fcfefac10a8071c02efdbc750aeb21f00c501
Opcode Fuzzy Hash: 4fade999f713cb9291008e8e771ea4e4e06678c9c79d51e3a30987be5e6c63ac
Instruction Fuzzy Hash: 91714B72A09F4681EB10DF26E9543AD63A0FB85FA4F448135EA9C8B786EF3CD054D384

Function 00007FF61864D1F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 187COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF61864D227
memcpy.MSVCRT ref: 00007FF61864D422

Strings

strutils.nim, xrefs: 00007FF61864D472
parseInt, xrefs: 00007FF61864D479
integer:, xrefs: 00007FF61864D3C5
ValueError, xrefs: 00007FF61864D383, 00007FF61864D48C
invalid , xrefs: 00007FF61864D3DF
gfffffff, xrefs: 00007FF61864D298

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmpmemcpy
String ID: ValueError$gfffffff$integer:$invalid $parseInt$strutils.nim
API String ID: 2721286225-831327929
Opcode ID: 3f73189fa8d5455517717b45f601fd0b2f05e55adca86ad036159fdf831d08fb
Instruction ID: 2b0fd9b3cafa8d4f0d3c1718d9171db7e9d9f1d68c34b7bf09eff5c7c7dcffa5
Opcode Fuzzy Hash: 3f73189fa8d5455517717b45f601fd0b2f05e55adca86ad036159fdf831d08fb
Instruction Fuzzy Hash: C691AE32A09F8A81EB618B25E4643AD73A0FB95FA4F444232DA5D87395DF3CD544E388

Function 00007FF618646150 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6186461A3
exit.MSVCRT ref: 00007FF6186461B8

Strings

SIGFPE: Arithmetic error., xrefs: 00007FF61864617A
SIGINT: Interrupted by Ctrl-C., xrefs: 00007FF618646156
unknown signal, xrefs: 00007FF618646189
SIGSEGV: Illegal storage access. (Attempt to read from nil?), xrefs: 00007FF618646162
SIGABRT: Abnormal termination., xrefs: 00007FF61864616E
SIGILL: Illegal operation., xrefs: 00007FF618646190

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitstrlen
String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
API String ID: 4213389737-3987738871
Opcode ID: 9915d26041e0ad20eabdf0160e6ea6c1bbb54fbb968086df6f4d2b90d2da5e54
Instruction ID: 8cf743a47b8b310620c70333e8517d71d842f44f444e7c1d8844c2d71e539989
Opcode Fuzzy Hash: 9915d26041e0ad20eabdf0160e6ea6c1bbb54fbb968086df6f4d2b90d2da5e54
Instruction Fuzzy Hash: 18F0BB20D08C8390FB18A77468A507C5356AF81F64FF40039E41EC3A63CF1CA849E2C8

Function 00007FF618648FD0 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 142COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF61864906A
memcpy.MSVCRT ref: 00007FF6186490AB

Strings

from, xrefs: 00007FF61864921A
convert , xrefs: 00007FF6186491B7
convert , xrefs: 00007FF618649110
convert , xrefs: 00007FF6186491F4
convert , xrefs: 00007FF61864903F
convert , xrefs: 00007FF618649254
to , xrefs: 00007FF61864922E

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: to $convert $convert $convert $convert $convert $from
API String ID: 3510742995-1950068461
Opcode ID: 9304380911033293320c81f2acf6376005448f402ff89b2ee30c3c9f99823c00
Instruction ID: 87fc6411cf33ddabbc838473a7aa84ab53adfa84f55fdbb9155edaf0dfee9403
Opcode Fuzzy Hash: 9304380911033293320c81f2acf6376005448f402ff89b2ee30c3c9f99823c00
Instruction Fuzzy Hash: 3161BD72A08F8681EB05CF51D4583AD3BA1FB98F84F498036EA0C87395EF78D905D385

Function 00007FF6186416F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF618641709
LoadLibraryA.KERNEL32 ref: 00007FF61864171A
GetProcAddress.KERNEL32 ref: 00007FF618641738
GetProcAddress.KERNEL32 ref: 00007FF618641748

Strings

__register_frame_info, xrefs: 00007FF618641727
__deregister_frame_info, xrefs: 00007FF61864173B
libgcc_s_dw2-1.dll, xrefs: 00007FF6186416FF

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: d15966665af7c63bfc69cf10254b49aa8a80bc0e5efb5ff61f34cf4ca4ebe78a
Instruction ID: d102b2b08da03fb570ef5c8b7b9e32e2d77a20ec8170991d2db9b85d5a03411c
Opcode Fuzzy Hash: d15966665af7c63bfc69cf10254b49aa8a80bc0e5efb5ff61f34cf4ca4ebe78a
Instruction Fuzzy Hash: 1101CC24B49E47D0EB15DB65FC6057963A4BF45FA8F980532DD4D82210EE3CE149E388

Function 00007FF61864E170 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF61864E3A4

Strings

lcJ, xrefs: 00007FF61864E5D1
MZ, xrefs: 00007FF61864E1A3
DZ3, xrefs: 00007FF61864E386
,{lW, xrefs: 00007FF61864E4F1
,{lW, xrefs: 00007FF61864E4B0
lcJ, xrefs: 00007FF61864E47B

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: strlen
String ID: ,{lW$,{lW$DZ3$MZ$lcJ$lcJ
API String ID: 39653677-2314944304
Opcode ID: 79f6aedf410f87875a6a9b3bfdde9027fafa175417fa9fb1544a18631473e473
Instruction ID: 19a3777862a9e930e41399151b81b136337add30a1a848f9a2fe246d37da3c57
Opcode Fuzzy Hash: 79f6aedf410f87875a6a9b3bfdde9027fafa175417fa9fb1544a18631473e473
Instruction Fuzzy Hash: 3CC18F61A08D8685E721DB35E8603BE6362BFC0B74F844031EA4D87799DF7CE549E784

Function 00007FF618644F70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

longjmp.MSVCRT ref: 00007FF618645007
exit.MSVCRT ref: 00007FF61864501A

Strings

5, xrefs: 00007FF61864507B
sysFatal, xrefs: 00007FF618645091
fatal.nim, xrefs: 00007FF618645084
ReraiseDefect, xrefs: 00007FF618645026

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitlongjmp
String ID: 5$ReraiseDefect$fatal.nim$sysFatal
API String ID: 2266059207-1761478562
Opcode ID: a6c7970276e8315dc3e21b04744d58606a569a86ae19e790ef2c0b0b35e27dc3
Instruction ID: e55671148f0f03caff3e758b2aed497518041f0d19bc6e8a57b74c348c7a1ac4
Opcode Fuzzy Hash: a6c7970276e8315dc3e21b04744d58606a569a86ae19e790ef2c0b0b35e27dc3
Instruction Fuzzy Hash: BE314A35A09E06A0EB009B24E4982BD73A4FF94FA4F540436DA1C83392EF38E544E3D8

Function 00007FF61864B080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF61864B14B
VariantCopy.OLEAUT32 ref: 00007FF61864B1A1

Strings

toVariant, xrefs: 00007FF61864B366
VariantConversionError, xrefs: 00007FF61864B2D7
com.nim, xrefs: 00007FF61864B350

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: CopyInitializeVariant
String ID: VariantConversionError$com.nim$toVariant
API String ID: 633353902-3035603046
Opcode ID: a4a9e674decf4443f4f046d4eab1aa7a00194a0de938a3e5601d8abe73fc4c3c
Instruction ID: 36d0cc5df852142adc3d7a8c94db8a3e5ce0b50070a4ed0f83a56b304223b77f
Opcode Fuzzy Hash: a4a9e674decf4443f4f046d4eab1aa7a00194a0de938a3e5601d8abe73fc4c3c
Instruction Fuzzy Hash: CF915921A0AF4280EB109B75E8643BE63A0FF94FA4F940535DA4D87799DF7CE404E788

Function 00007FF618656E90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF618656EB8

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: a4381fa92cb0d565006f9dfff1b99eef7e1d365cb7ea1ddf9efebcac2aa79064
Instruction ID: 1fc4314baea558ae1293197643bde0afdc45d822699a79892980f7aa536beef9
Opcode Fuzzy Hash: a4381fa92cb0d565006f9dfff1b99eef7e1d365cb7ea1ddf9efebcac2aa79064
Instruction Fuzzy Hash: 52410672E09F0589F7208B74D55437C23A1AB45BB8F204A35D92DC7BEACE3CE941A385

Function 00007FF618641E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF618641E69
fflush.MSVCRT ref: 00007FF618641E71
exit.MSVCRT(?,?,?,?,?,?,?,00007FF6186622C0), ref: 00007FF618641E7B

Strings

[GC] cannot register global variable; too many global variables, xrefs: 00007FF618641E5C

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitfflushfwrite
String ID: [GC] cannot register global variable; too many global variables
API String ID: 3476253079-2146260042
Opcode ID: f6d201c6bb657294f93126c72b70e15c6ccc17db40f33077b8880073670369d6
Instruction ID: 4272ef23a561b587f934a18aa4c0591e944861dce32174515a312b896c59a25f
Opcode Fuzzy Hash: f6d201c6bb657294f93126c72b70e15c6ccc17db40f33077b8880073670369d6
Instruction Fuzzy Hash: 93516BB2B05E5181EF44CB28D0643BC27A1FB94F94F558631CA1E87392EF7EE5469384

Function 00007FF6186420F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61864210E
exit.MSVCRT ref: 00007FF61864223F

Strings

@, xrefs: 00007FF618642163
could not import: , xrefs: 00007FF618642203

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AddressProcexit
String ID: @$could not import:
API String ID: 2129014486-260091680
Opcode ID: ffafcb9df3c3e3d8a139c628257651b0e5f35b96b7a06be2ac633388f5863d0a
Instruction ID: c4a56ba508c6b5748bafc265ca7209f7d873cfe7036ef82ba93ddf71c1da3526
Opcode Fuzzy Hash: ffafcb9df3c3e3d8a139c628257651b0e5f35b96b7a06be2ac633388f5863d0a
Instruction Fuzzy Hash: 35312552F09A8291EF25D739E9203BD5B52AB85BD4F584135CF0E47385DE2DD0069384

Function 00007FF618645970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

longjmp.MSVCRT ref: 00007FF618645A07
exit.MSVCRT(?,?,00000000,00000000,00007FF618645AB5), ref: 00007FF618645A17

Strings

sysFatal, xrefs: 00007FF618645A23
fatal.nim, xrefs: 00007FF618645A22

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitlongjmp
String ID: fatal.nim$sysFatal
API String ID: 2266059207-2644091575
Opcode ID: c24e095f600e90dd0071e4f52d71d25d6e3d9d32fe2a5d83d3d4b835c7dc1ab1
Instruction ID: 6016670c031afd4bdfee767afd1fe5d401352b52084db3128634fe6527bcc251
Opcode Fuzzy Hash: c24e095f600e90dd0071e4f52d71d25d6e3d9d32fe2a5d83d3d4b835c7dc1ab1
Instruction Fuzzy Hash: F3417472A05E0691EF009B28D8A877D73A4FB98FE4F544535EA4C87790EF78D445D388

Function 00007FF618642050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF618641DB0: strlen.MSVCRT ref: 00007FF618641DC1
Part of subcall function 00007FF618641DB0: fwrite.MSVCRT ref: 00007FF618641DD4

GetLastError.KERNEL32 ref: 00007FF6186420A2
exit.MSVCRT(?,?,?,00007FF61866223B), ref: 00007FF6186420CA

Strings

could not load: , xrefs: 00007FF618642070
(bad format; library may be wrong architecture), xrefs: 00007FF6186420D6

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ErrorLastexitfwritestrlen
String ID: (bad format; library may be wrong architecture)$could not load:
API String ID: 671075621-2754783905
Opcode ID: 51cbf49d1914b27e1f1b5dfa9d7d0e78acbbf09de8430b78a8be3013a6eed925
Instruction ID: 8aa0e071a75e1ca80512bd772d9fd2a198c1d5d3e89d8d2ce41442d936af29f5
Opcode Fuzzy Hash: 51cbf49d1914b27e1f1b5dfa9d7d0e78acbbf09de8430b78a8be3013a6eed925
Instruction Fuzzy Hash: B2014450B09E5381FB04B771E8653B852A6AF94FA0F540035DD0EC73C7EE2DA441D399

Function 00007FF618641DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF618641E19
fflush.MSVCRT ref: 00007FF618641E21
exit.MSVCRT(?,?,?,00007FF6186622C0), ref: 00007FF618641E2B

Strings

[GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FF618641E0C

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitfflushfwrite
String ID: [GC] cannot register thread local variable; too many thread local variables
API String ID: 3476253079-685140759
Opcode ID: b0b8e0b35887b2fe47ecad4396eab2e2ac4f058f9d5d47144fdd08601c8bd8f4
Instruction ID: 7c016e40807b1a637b9a24bddbe56de7df40422fda87856fb7041b1c98f0c97b
Opcode Fuzzy Hash: b0b8e0b35887b2fe47ecad4396eab2e2ac4f058f9d5d47144fdd08601c8bd8f4
Instruction Fuzzy Hash: 9EE08C20A04A814AE3006BB2A4153B86650FF97F90F401034D90E973C3CE2D90429388

Function 00007FF61864A3E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF618643F10: memset.MSVCRT ref: 00007FF618643FA2

Part of subcall function 00007FF618652790: memcpy.MSVCRT ref: 00007FF6186528EB

memcpy.MSVCRT ref: 00007FF61864A6F3

Strings

clrError, xrefs: 00007FF61864A64E
clr.nim, xrefs: 00007FF61864A647
CLRError, xrefs: 00007FF61864A43D

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy$memset
String ID: CLRError$clr.nim$clrError
API String ID: 438689982-2830349459
Opcode ID: e048558dc86e6f5a9352b3e37d4a831861b57ce832144c4fdce3ff389ed0c927
Instruction ID: 06c78d002ca072f97161da44ba19796811ac4b373146f5cba75e83525047d9ab
Opcode Fuzzy Hash: e048558dc86e6f5a9352b3e37d4a831861b57ce832144c4fdce3ff389ed0c927
Instruction Fuzzy Hash: B491E362A08F8255EB158B25A9102BD2B61FF84FB4F440231EF6D8B3C2DF2CE550E394

Function 00007FF61864A080 Relevance: 6.1, APIs: 4, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF61864A0A1
MultiByteToWideChar.KERNEL32 ref: 00007FF61864A139
MultiByteToWideChar.KERNEL32 ref: 00007FF61864A19C
SysAllocString.OLEAUT32 ref: 00007FF61864A1AD

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ByteCharMultiWide$AllocInitializeString
String ID:
API String ID: 1889743751-0
Opcode ID: e0bb64149f93d728e33b5e0fbb6459ea89275909b76d61481fabf21199463d14
Instruction ID: 265b1ecc6406499e316111c48663d00cf411d4df90e3a842864f0a4313cfbb6a
Opcode Fuzzy Hash: e0bb64149f93d728e33b5e0fbb6459ea89275909b76d61481fabf21199463d14
Instruction Fuzzy Hash: 7D51AF62B0AF4690FB109B35A82437E67A0BF94FA4F584135DA0D87395EF3CE445E388

Function 00007FF618643170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00007FF61864327E
exit.MSVCRT ref: 00007FF618643299

Strings

virtualFree failing!, xrefs: 00007FF618643288

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: FreeVirtualexit
String ID: virtualFree failing!
API String ID: 1212090140-3108117800
Opcode ID: 68b8d1335d4262310ceacde46beb014e5e86bd410c41983fcf449f0e24c4c635
Instruction ID: c0a654b4bf5fbd7d27de5657561ea2011eeff32b78b79107cbd5d79d896bfdd2
Opcode Fuzzy Hash: 68b8d1335d4262310ceacde46beb014e5e86bd410c41983fcf449f0e24c4c635
Instruction Fuzzy Hash: AF51C2B2A05F8180EF05CB25C569BAD33A5FB94BA0F51C235C65D87384EF3AD584D384

Function 00007FF6186564B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4
Unknown error, xrefs: 00007FF61865654A

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f5ed3b677f2f48d0590d541834f8938872b46eabe71cd71ba44e55bff7287e57
Instruction ID: c0565396ea39fcefbfda1a7b0e3cb648e662b32f21e44c31f051f1c6f411da7f
Opcode Fuzzy Hash: f5ed3b677f2f48d0590d541834f8938872b46eabe71cd71ba44e55bff7287e57
Instruction Fuzzy Hash: 27217926A04F849AD711CF69E8403EA7371FF59BA8F444622EE8C57724EF38C24AC300

Function 00007FF61865653D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF61865653D

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 2dbb23b2c733bdc5e2c88e864f8e4be43479ddb640e3ee14439bc3aa9eb47380
Instruction ID: 681872378f8b6965354e993a2fccc59937e916cb7d1391e2763be282fc752f8b
Opcode Fuzzy Hash: 2dbb23b2c733bdc5e2c88e864f8e4be43479ddb640e3ee14439bc3aa9eb47380
Instruction Fuzzy Hash: B5017C26A04F848AD711CF69D8402AA7771FF5DBA8F044722EF8D27765DF28C189D340

Function 00007FF618656530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Total loss of significance (TLOSS), xrefs: 00007FF618656530
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 224748f1aa114ad75b1f1ac9416724a679c86d711bcf6c7fa56f51eb8680cdc8
Instruction ID: b8a7bd9c511dfc30071d2d231488d7bc4f7f50a11415dc56549139907e78d974
Opcode Fuzzy Hash: 224748f1aa114ad75b1f1ac9416724a679c86d711bcf6c7fa56f51eb8680cdc8
Instruction Fuzzy Hash: 9C017C26A04F888AD711CF69D8402AA7771FF5DBA8F044722EF8D27769DF28C185D340

Function 00007FF618656516 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4
Overflow range error (OVERFLOW), xrefs: 00007FF618656516

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 2ccf02da138a7f67b759a146aa06823c0007208c8fea492fe6df19dd1a8d4ce2
Instruction ID: 3d7cf50a8b13dd009eac55de7e61bc2674518e2fee46bf8573463a5d05a59b90
Opcode Fuzzy Hash: 2ccf02da138a7f67b759a146aa06823c0007208c8fea492fe6df19dd1a8d4ce2
Instruction Fuzzy Hash: 41017C26A04F848AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D340

Function 00007FF618656523 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4
Partial loss of significance (PLOSS), xrefs: 00007FF618656523

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: b8127e0a148a3f2144de23711edacc057c0f970e361e3f338bc60eb4b9e6ada2
Instruction ID: 91763f853cdfd93e27d15687f58216b8973e5e8b89cd145c08e6cc80bdc146e2
Opcode Fuzzy Hash: b8127e0a148a3f2144de23711edacc057c0f970e361e3f338bc60eb4b9e6ada2
Instruction Fuzzy Hash: 0C017C26A04F848AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D344

Function 00007FF618656509 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4
Argument singularity (SIGN), xrefs: 00007FF618656509

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 041973ba09f51f5bbe3c4b1c88ac10a69af53ca7432e29cfd1701aba7b0af9e6
Instruction ID: 1b65328334aecc317225a61fbe5a9ad0f448309576b0de1484abe1593fcc8d38
Opcode Fuzzy Hash: 041973ba09f51f5bbe3c4b1c88ac10a69af53ca7432e29cfd1701aba7b0af9e6
Instruction Fuzzy Hash: 07015A26A04F888AD711CF69D8402AA7771FB5DBA8F044722EF8D27769DF28C185D340

Function 00007FF6186564FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF6186564FC
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000000.00000002.2148776122.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000000.00000002.2148757452.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148804598.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148824012.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148872460.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148894285.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148955029.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148973424.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2148991435.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: a146f8cdcdf8742bd3899f7bf3c1021d3d1a80d061f4e761973d6a360533c67e
Instruction ID: 5712630d364b0a5830d1c4483717d1c32082dd7ed30d3e5b69a8c5f8bce2d20b
Opcode Fuzzy Hash: a146f8cdcdf8742bd3899f7bf3c1021d3d1a80d061f4e761973d6a360533c67e
Instruction Fuzzy Hash: 8F017C26A04F888AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D340

Analysis Process: gEP8SOoakR.exePID: 6192, Parent PID: 6768COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1042
Total number of Limit Nodes:	70

Executed Functions

Function 00007FF61864C240 Relevance: 137.4, APIs: 46, Strings: 31, Instructions: 2605memorysleepCOMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FF61864C3DE
memcpy.MSVCRT ref: 00007FF61864C4C3

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

GetProcessHeap.KERNEL32 ref: 00007FF61864CA71
GetProcessHeap.KERNEL32 ref: 00007FF61864CA7A
exit.MSVCRT ref: 00007FF61864CA96
exit.MSVCRT ref: 00007FF61864CAC2
GetTickCount.KERNEL32 ref: 00007FF61864CC8D
Sleep.KERNEL32 ref: 00007FF61864CC9A
SleepEx.KERNELBASE ref: 00007FF61864CCA0
exit.MSVCRT ref: 00007FF61864CCB1

Strings

CreateFileA, xrefs: 00007FF61864C9B4
SetThreadContext, xrefs: 00007FF61864C899
GetCurrentProcessId, xrefs: 00007FF61864C76A
Sleep, xrefs: 00007FF61864C968
GetTickCount, xrefs: 00007FF61864C98E
CloseHandle, xrefs: 00007FF61864C8BF
GetProcAddress, xrefs: 00007FF61864C7FB
GetModuleHandleA, xrefs: 00007FF61864C84D
RtlAddVectoredExceptionHandler, xrefs: 00007FF61864C827
,$6U, xrefs: 00007FF6186542E6
LdrLoadDll, xrefs: 00007FF61864C6BE
OpenThread, xrefs: 00007FF61864C8E5
MultiByteToWideChar, xrefs: 00007FF61864C949
GetFileSize, xrefs: 00007FF61864C9DA
toVariant, xrefs: 00007FF618655C4B, 00007FF618655CFB, 00007FF618655E5F
WaitForSingleObject, xrefs: 00007FF61864C92A
GetCurrentThreadId, xrefs: 00007FF61864C90B
VirtualProtect, xrefs: 00007FF61864C790
,{lW, xrefs: 00007FF61864CFB0
VariantConversionError, xrefs: 00007FF618655B97, 00007FF618655C67, 00007FF618655DCF
GetProcessHeap, xrefs: 00007FF61864C7D5
OpenProcess, xrefs: 00007FF61864C7B6
ReadFile, xrefs: 00007FF61864CA2E
com.nim, xrefs: 00007FF618655C38, 00007FF618655CE5, 00007FF618655E4C
GetComputerNameExA, xrefs: 00007FF61864CC40
RtlInitUnicodeString, xrefs: 00007FF61864C6EC
p, xrefs: 00007FF618654638
GlobalMemoryStatusEx, xrefs: 00007FF61864CC5F
GetThreadContext, xrefs: 00007FF61864C873
RtlAllocateHeap, xrefs: 00007FF61864CA08
GetDiskFreeSpaceExA, xrefs: 00007FF61864CC7E

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitmemcpy$ByteCharHeapMultiProcessSleepWide$CountTickVersion
String ID: ,$6U$,{lW$CloseHandle$CreateFileA$GetComputerNameExA$GetCurrentProcessId$GetCurrentThreadId$GetDiskFreeSpaceExA$GetFileSize$GetModuleHandleA$GetProcAddress$GetProcessHeap$GetThreadContext$GetTickCount$GlobalMemoryStatusEx$LdrLoadDll$MultiByteToWideChar$OpenProcess$OpenThread$ReadFile$RtlAddVectoredExceptionHandler$RtlAllocateHeap$RtlInitUnicodeString$SetThreadContext$Sleep$VariantConversionError$VirtualProtect$WaitForSingleObject$com.nim$p$toVariant
API String ID: 4036915570-2294705820
Opcode ID: 75185cecd4f4cd0ff8ff1251ed288e3ec12cfa21fc9c39858dd0f71e78f13bd5
Instruction ID: 9c0f3513cb83aa3e4ee680be0ef3a9bae2c8db332dd3c05c8bb51f1e506becd4
Opcode Fuzzy Hash: 75185cecd4f4cd0ff8ff1251ed288e3ec12cfa21fc9c39858dd0f71e78f13bd5
Instruction Fuzzy Hash: 56435B61A09F8681EB10DB25E8683BD63A1FF84FA0F444535DA5D8779ADF3CE504E388

Function 00007FF61864D570 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 334
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF61864D5B8
memset.MSVCRT ref: 00007FF61864D5C9
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF61864D62D
Thread32First.KERNEL32 ref: 00007FF61864D697
Thread32Next.KERNEL32 ref: 00007FF61864D6AB
GetCurrentProcessId.KERNEL32 ref: 00007FF61864D6B3

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

CloseHandle.KERNEL32 ref: 00007FF61864D6DE
OpenThread.KERNEL32 ref: 00007FF61864D70C
GetThreadContext.KERNEL32 ref: 00007FF61864D724
SetThreadContext.KERNEL32 ref: 00007FF61864D778
CloseHandle.KERNEL32 ref: 00007FF61864D7A1
GetModuleHandleA.KERNEL32 ref: 00007FF61864D7E6
GetModuleHandleA.KERNEL32 ref: 00007FF61864D9A7
GetProcAddress.KERNEL32 ref: 00007FF61864D9FF
RtlInitUnicodeString.NTDLL ref: 00007FF61864DA9E
LdrLoadDll.NTDLL ref: 00007FF61864DAAE

Strings

D|u, xrefs: 00007FF61864D982

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: Handle$Thread$ByteCharCloseContextModuleMultiThread32Widememcpy$AddressCreateCurrentExceptionFirstHandlerInitLoadNextOpenProcProcessSnapshotStringToolhelp32UnicodeVectoredmemset
String ID: D|u
API String ID: 902128316-2768058641
Opcode ID: 09e4555b71253e80de3682f4f7e29e5f6c8c6ad04570e4f0c2753624d62e8bf0
Instruction ID: 1af051be9ba5f83094cf2cae80e73c08b0ce6060a4307d2cab30ac11fcacb8b3
Opcode Fuzzy Hash: 09e4555b71253e80de3682f4f7e29e5f6c8c6ad04570e4f0c2753624d62e8bf0
Instruction Fuzzy Hash: BCE18061E0DE8282EB149B71E4243BE6792AFE1FA4F444035DA4D87789DF7CE405E398

Function 00007FF618650460 Relevance: 19.5, APIs: 11, Strings: 1, Instructions: 1506COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF6186518F8

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cdfd9fea71167d7d99881b81844c1dd756b5e3768975750ad13c3514bfd5f960
Instruction ID: bdeaa9813366ad36a47fd89389a3ec67e0612b2128c0163cbe2186b7397b3c40
Opcode Fuzzy Hash: cdfd9fea71167d7d99881b81844c1dd756b5e3768975750ad13c3514bfd5f960
Instruction Fuzzy Hash: 42E2B0B2A05F4682EF549B25C0487B93366FB40FE4F859536CA2D8B386DF78E490D385

Function 00007FF618652CA0 Relevance: 16.3, APIs: 6, Strings: 3, Instructions: 593
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_setjmp.MSVCRT ref: 00007FF618652D17
CLRCreateInstance.MSCOREE ref: 00007FF618652D4C
_setjmp.MSVCRT ref: 00007FF618652DD3
_setjmp.MSVCRT ref: 00007FF618652E36
_setjmp.MSVCRT ref: 00007FF618652F9D

Strings

ntime of, xrefs: 00007FF6186532FB
unable t, xrefs: 00007FF6186532CD
o get ru, xrefs: 00007FF6186532D7

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmp$CreateInstance
String ID: ntime of$o get ru$unable t
API String ID: 1775370524-3332830050
Opcode ID: ac211fbf096da5d0da3a4762ae46cb72a1d791a0f9595435f5d7eb76b5508b96
Instruction ID: 6a351d41a6e2384d4f47e5c229c050608aa27b95d4cb4e4b1fca237086930b0c
Opcode Fuzzy Hash: ac211fbf096da5d0da3a4762ae46cb72a1d791a0f9595435f5d7eb76b5508b96
Instruction Fuzzy Hash: 56523876A08F4681EB11CF2AE9503AA73A1FB85FA4F408132DA4D877A5EF3CD444D784

Function 00007FF618641154 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF618641242
_initterm.MSVCRT ref: 00007FF618641277
_initterm.MSVCRT ref: 00007FF6186412AA
exit.MSVCRT ref: 00007FF61864145D
_cexit.MSVCRT ref: 00007FF61864146C

Strings

0, xrefs: 00007FF6186411B0

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 50d41e5def3bf9c16f3af7bdd17e1943794a521b4815a992c7d3667bf630053a
Instruction ID: b0f595149582cd307fd3e98c512ac78ff56565fd87b2458c0bdf45a073660d42
Opcode Fuzzy Hash: 50d41e5def3bf9c16f3af7bdd17e1943794a521b4815a992c7d3667bf630053a
Instruction Fuzzy Hash: 3CA1D225B08F0689EB50CB76E89036C37A1AB44FA8F404075DE4DD77A5DE3CE581A798

Function 00007FF848E6C6DE Relevance: 5.4, Strings: 3, Instructions: 1664
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

rN_H, xrefs: 00007FF848E6CC72
VUUU, xrefs: 00007FF848E6CEF7
I, xrefs: 00007FF848E6C8E6

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: I$VUUU$rN_H
API String ID: 0-2068014598
Opcode ID: 3f848d36996e867e7d150d907c668f9348c0a67e3d81637418267700b70ee42a
Instruction ID: 099adb10d47bf626130d125386d177e08d70b9783d0c3bb6520e05eaf92d6dc2
Opcode Fuzzy Hash: 3f848d36996e867e7d150d907c668f9348c0a67e3d81637418267700b70ee42a
Instruction Fuzzy Hash: 66C29E30A1D9499FEB99E7288455BB9B7E1FF59350F9800BDC04DD7292CE39B882CB44

Function 00007FF61864F6D0 Relevance: 4.9, APIs: 3, Instructions: 373
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF61864F7EA
ReadFile.KERNELBASE ref: 00007FF61864F850

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: ec7523323d8522bed43e5f29889f388af1469c161f64491dd7193ab5dd99971d
Instruction ID: 7d2bb30d76cea22cc928cefb03153a0b1ef0aa994233e4260ff9d95dcef88965
Opcode Fuzzy Hash: ec7523323d8522bed43e5f29889f388af1469c161f64491dd7193ab5dd99971d
Instruction Fuzzy Hash: 46F1EF22A09AC185EB11CF3AA8543BE7BA1FB85F94F458036DE8D83795DE3CD145E350

Function 00007FF61864BF80 Relevance: 4.6, APIs: 3, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

GetThreadContext.KERNEL32 ref: 00007FF61864BFD9
SetThreadContext.KERNEL32 ref: 00007FF61864C03A
BaseThreadInitThunk.KERNEL32 ref: 00007FF61864C063

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: Thread$Contextmemcpy$BaseInitThunk
String ID:
API String ID: 2238238550-0
Opcode ID: 367616483b3a5feb9ccb286755c9a34a301c0049ecf4f422587df0ba8695a429
Instruction ID: 208ed8d271ebdb7973b5c48ec8011c7d49f8ba50814be58b7976912183925dbe
Opcode Fuzzy Hash: 367616483b3a5feb9ccb286755c9a34a301c0049ecf4f422587df0ba8695a429
Instruction Fuzzy Hash: 1421A161609E8645EB109B35F82037A6391BFD8FB4F544231DD6D873D9CE3CD0489788

Function 00007FF848E61930 Relevance: 3.6, Strings: 2, Instructions: 1095
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*O_^, xrefs: 00007FF848E61A01
,O_, xrefs: 00007FF848E61B04

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: *O_^$,O_
API String ID: 0-4213225396
Opcode ID: 8337539af23001a403c551130e114e8505c5d94886f7dd87f0016cf33ae3a9b7
Instruction ID: 649fe0f440468bb655bb6f73affc0f06a5f13d9455cf9d3ba286bc708e7bb2fa
Opcode Fuzzy Hash: 8337539af23001a403c551130e114e8505c5d94886f7dd87f0016cf33ae3a9b7
Instruction Fuzzy Hash: 6F722431A0CA565FE759FB28D0405F973A1FF90364F58467ED08A8B183DB34B886C798

Function 00007FF848E618D3 Relevance: 3.2, Strings: 2, Instructions: 726
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*O_^, xrefs: 00007FF848E61A01
,O_, xrefs: 00007FF848E61B04

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: *O_^$,O_
API String ID: 0-4213225396
Opcode ID: 7ad664ccd177a1373235057406b77f0213281d9ec89046caf1f7625b3bbf0a28
Instruction ID: 8c9373e3b8c0d7a6d7e26341014ca809dd621a8ac35e1879cb90def21aed63d6
Opcode Fuzzy Hash: 7ad664ccd177a1373235057406b77f0213281d9ec89046caf1f7625b3bbf0a28
Instruction Fuzzy Hash: 75226662A4DA566ED70DBB78F4910F57790FF91364F0C85BBD0C98A083DB24B486C7A8

Function 00007FF848E618B0 Relevance: 3.2, Strings: 2, Instructions: 720COMMON

Download Yara Rule

Strings

*O_^, xrefs: 00007FF848E61A01
,O_, xrefs: 00007FF848E61B04

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: *O_^$,O_
API String ID: 0-4213225396
Opcode ID: dfde3c76f3497144372e61798c4f99482ea8b58ca3026caa969939ccd63ecffb
Instruction ID: 923d173dc7b1241a915f4018984d586769b18416d1d940614bb4873fbe020ae3
Opcode Fuzzy Hash: dfde3c76f3497144372e61798c4f99482ea8b58ca3026caa969939ccd63ecffb
Instruction Fuzzy Hash: 07226862A4DA566ED30DBB78F4510F57790FF91364F4C85BBD0C98A083DB24B486C7A8

Function 0000025906CB1B10 Relevance: 3.1, APIs: 2, Instructions: 132nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 0000025906CB1BA2
NtCreateSection.NTDLL ref: 0000025906CB1C02

Memory Dump Source

Source File: 00000003.00000002.2135060377.0000025906CB0000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000025906CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_25906cb0000_gEP8SOoakR.jbxd

Similarity

API ID: CreateMemoryProtectSectionVirtual
String ID:
API String ID: 1366966015-0
Opcode ID: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
Instruction ID: 913f9e3206f21df91e453f11517a2f95d8bbbd86895d32feb5fcd34ff4369e32
Opcode Fuzzy Hash: f6b47d1aec46e1e957693d9d0c8cb924439d4d7cbf412633b4b44180241d7493
Instruction Fuzzy Hash: 25310C7061CF1C8FE758A66C9C5D66A72D5EBD8322F004B2FE58AC32D1EB70D845468A

Function 00007FF848E619E0 Relevance: 3.1, Strings: 2, Instructions: 611COMMON

Download Yara Rule

Strings

*O_^, xrefs: 00007FF848E61A01
,O_, xrefs: 00007FF848E61B04

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: *O_^$,O_
API String ID: 0-4213225396
Opcode ID: fbc78f5fc06a38311a50a2f5f4e4c9c36b3bfac2d6e4741a36c7a0b6ef8ad760
Instruction ID: 623ecd6bac3ad7188dbe327704f5248e390b0fc2d232586b634d871027404aa2
Opcode Fuzzy Hash: fbc78f5fc06a38311a50a2f5f4e4c9c36b3bfac2d6e4741a36c7a0b6ef8ad760
Instruction Fuzzy Hash: 12029972A0DA565FD70DBB28E4810F97790FF91364F58867AD0898A183DF34B887C798

Function 0000025906CB1BA8 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 0000025906CB1C02

Memory Dump Source

Source File: 00000003.00000002.2135060377.0000025906CB0000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000025906CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_25906cb0000_gEP8SOoakR.jbxd

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
Instruction ID: e4010ca8a906d580a8f1b91ddaa9b3814f223874acbb76fac17af5502e89a253
Opcode Fuzzy Hash: 9e7362a58a991fd67ed60abdc4631b05ef3ffe28a9eadedd5685242ff6fa6018
Instruction Fuzzy Hash: C501C87170CF284FE758995CEC4977572C1D7C5332F405B2FD989C36D2DA619841468A

Function 00007FF848E690F2 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da86cb59786d56773fb3877b9788db1b05f2c599f03f6e8ac4c0b50eab3a11a1
Instruction ID: e0f8ca36c2edfdaeb89898ea30d1a2f4ff06786ee6626fa32e748af566a4db08
Opcode Fuzzy Hash: da86cb59786d56773fb3877b9788db1b05f2c599f03f6e8ac4c0b50eab3a11a1
Instruction Fuzzy Hash: A802F36061D9892FE74DB77884137EABBD1FF49340F6841BDD089CB687CD28A882C795

Function 00007FF61865D9E0 Relevance: 293.3, APIs: 4, Strings: 162, Instructions: 2775
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6186420F0: GetProcAddress.KERNEL32 ref: 00007FF61864210E

Part of subcall function 00007FF6186420F0: exit.MSVCRT ref: 00007FF61864223F

signal.MSVCRT ref: 00007FF61865EF96
signal.MSVCRT ref: 00007FF61865EFA3
signal.MSVCRT ref: 00007FF61865EFB0
signal.MSVCRT ref: 00007FF61865EFC3

Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BC81
Part of subcall function 00007FF61864BB80: memcpy.MSVCRT ref: 00007FF61864BCA2

Strings

queryUnbiasedInterruptTime, xrefs: 00007FF61865F77F
pllVal, xrefs: 00007FF61865E191
RecordClear, xrefs: 00007FF61865DDA5
uiVal, xrefs: 00007FF61865E0BA
Invoke, xrefs: 00007FF6186600C7
lstrlenW, xrefs: 00007FF61865F256
ppdispVal, xrefs: 00007FF6186606D3
wReserved1, xrefs: 00007FF61865E5C6
pullVal, xrefs: 00007FF61865DEA2
RecordDestroy, xrefs: 00007FF61865DD2D
cElements, xrefs: 00007FF61865E209
key5, xrefs: 00007FF618661F6E
uintVal, xrefs: 00007FF61865E036
GetName, xrefs: 00007FF6186611A4
Field1, xrefs: 00007FF61865DACB
IsMatchingType, xrefs: 00007FF6186612B8
Release, xrefs: 00007FF61865E33D
RecordCreate, xrefs: 00007FF6186613DD
QueryInterface, xrefs: 00007FF61865FDF4
VariantClear, xrefs: 00007FF618661993
rgsabound, xrefs: 00007FF6186603EF
puiVal, xrefs: 00007FF61865DED8
lVal, xrefs: 00007FF61865E525
procname, xrefs: 00007FF61865E749
skey, xrefs: 00007FF61865F453
pvData, xrefs: 00007FF61865E226
wReserved2, xrefs: 00007FF61865E5A4
MultiByteToWideChar, xrefs: 00007FF61865F23C
lLbound, xrefs: 00007FF61865E1EC
IsEqualGUID, xrefs: 00007FF61865F1C5
RecordInit, xrefs: 00007FF61865DDBE
cbElements, xrefs: 00007FF61865E260
CreateToolhelp32Snapshot, xrefs: 00007FF618661A66
GetProcessHeap, xrefs: 00007FF61865F2F0
PutField, xrefs: 00007FF61865DD6D
Lo32, xrefs: 00007FF61865DF35
pfltVal, xrefs: 00007FF6186604F7
bstrVal, xrefs: 00007FF61865E3A8
SysFreeString, xrefs: 00007FF618661947
coresCount, xrefs: 00007FF61865F85E
zonedTimeFromAdjTimeImpl, xrefs: 00007FF61865DC52
AddRef, xrefs: 00007FF61865E352
WideCharToMultiByte, xrefs: 00007FF61865F1F7
raw, xrefs: 00007FF61865DA88
pscode, xrefs: 00007FF61865E139
cipher, xrefs: 00007FF618661FA4
GetWindowThreadProcessId, xrefs: 00007FF61865F413
GetField, xrefs: 00007FF618661232
pdblVal, xrefs: 00007FF61865E181
union1, xrefs: 00007FF61865DFFA
hresult, xrefs: 00007FF61865DB14
ulVal, xrefs: 00007FF61865E09D
boolVal, xrefs: 00007FF61865E494
queryIdleProcessorCycleTime, xrefs: 00007FF61865F830
int64, xrefs: 00007FF61865E3E5
pdate, xrefs: 00007FF61865E121
UpdateProcThreadAttribute, xrefs: 00007FF61865F358
puintVal, xrefs: 00007FF61865DE5C
ullVal, xrefs: 00007FF61865E07D
VariantCopy, xrefs: 00007FF6186619AD
scale, xrefs: 00007FF61865DFCD
GetGuid, xrefs: 00007FF61866114A
Mid32, xrefs: 00007FF61865DF08
data, xrefs: 00007FF618661B6A
date, xrefs: 00007FF61865E3C8
CreateProcessW, xrefs: 00007FF61865F372
hIntel, xrefs: 00007FF61865F901
pulVal, xrefs: 00007FF61865DEBB
RecordCopy, xrefs: 00007FF618661120
name, xrefs: 00007FF61865DC13
pvarVal, xrefs: 00007FF6186607E5
cLocks, xrefs: 00007FF61865E243
dctx6, xrefs: 00007FF618661FCD
pboolVal, xrefs: 00007FF61865E168
lpVtbl, xrefs: 00007FF61865DDDA
SysStringLen, xrefs: 00007FF61865F229
GetCurrentThread, xrefs: 00007FF61865F28F
GetTypeInfo, xrefs: 00007FF61865DD89
Field0, xrefs: 00007FF61865DAEC
pRecInfo, xrefs: 00007FF618661740
SafeArrayPutElement, xrefs: 00007FF6186619FB
GetCommandLineW, xrefs: 00007FF61865F532
SysAllocString, xrefs: 00007FF6186619C7
pparray, xrefs: 00007FF618660704
Lo64, xrefs: 00007FF61865DEF8
GetFileAttributesW, xrefs: 00007FF618662157
pvRecord, xrefs: 00007FF61865DE02
GetFieldNames, xrefs: 00007FF61866128A
iVal, xrefs: 00007FF61865E4EB
GetForegroundWindow, xrefs: 00007FF61865F3F9
decVal, xrefs: 00007FF61865DCFD
wReserved3, xrefs: 00007FF61865E583
ResumeThread, xrefs: 00007FF61865F3A6
intVal, xrefs: 00007FF61865E053
piVal, xrefs: 00007FF61865E1C2
bVal, xrefs: 00007FF61865E508
RtlGetVersion, xrefs: 00007FF618662125
InitializeProcThreadAttributeList, xrefs: 00007FF61865F33E
filename, xrefs: 00007FF61865E71E
scode, xrefs: 00007FF61865E477
Field2, xrefs: 00007FF618661AF7
Thread32First, xrefs: 00007FF618661A80
Hi32, xrefs: 00007FF61865DF62
sign, xrefs: 00007FF61865DFB0
line, xrefs: 00007FF61865E734
pintVal, xrefs: 00007FF61865DE75
trace, xrefs: 00007FF61865EA6C
OpenProcess, xrefs: 00007FF61866216A
RecordCreateCopy, xrefs: 00007FF6186613FB
DispGetIDsOfNames, xrefs: 00007FF618661934
punkVal, xrefs: 00007FF61865E38F
tProcess1, xrefs: 00007FF61865DB6A
msg, xrefs: 00007FF61865E762
LoadLibraryA, xrefs: 00007FF61865F30A
treadHandle3, xrefs: 00007FF61865DB35
dblVal, xrefs: 00007FF61865E4B1
struct1, xrefs: 00007FF61865DE1B
fltVal, xrefs: 00007FF61865E4CE
union2, xrefs: 00007FF618660C34
remoteProcID2, xrefs: 00007FF61865DB55
pdecVal, xrefs: 00007FF618660C88
GetFieldNoCopy, xrefs: 00007FF618661255
pcVal, xrefs: 00007FF618660C9B
PutFieldNoCopy, xrefs: 00007FF61865DD55
parray, xrefs: 00007FF61865E2BF
queryProcessCycleTime, xrefs: 00007FF61865F752
GetProcAddress, xrefs: 00007FF61865F324
SetConsoleCP, xrefs: 00007FF61865E858
CLRCreateInstance, xrefs: 00007FF618661A34
pbstrVal, xrefs: 00007FF618660642
cDims, xrefs: 00007FF61865E29A
parent, xrefs: 00007FF61865E788
pcyVal, xrefs: 00007FF618660636
SafeArrayCreate, xrefs: 00007FF6186619E1
Thread32Next, xrefs: 00007FF618661A9A
fFeatures, xrefs: 00007FF61865E27D
bCryptGenRandom, xrefs: 00007FF61865F73A
GetCurrentProcess, xrefs: 00007FF61865F38C
NtFlushInstructionCache4, xrefs: 00007FF618661E21
GetIDsOfNames, xrefs: 00007FF61865FF98
cyVal, xrefs: 00007FF61865E467
CoInitialize, xrefs: 00007FF618661980
HeapCreate, xrefs: 00007FF61865F2BC
pbVal, xrefs: 00007FF6186604DF
GetModuleFileNameW, xrefs: 00007FF61865F545
WaitForSingleObject, xrefs: 00007FF61865F3C0
plVal, xrefs: 00007FF61865E1B2
ppunkVal, xrefs: 00007FF618660682
byref, xrefs: 00007FF61865E0F4
signscale, xrefs: 00007FF61865DF8B
llVal, xrefs: 00007FF61865E54A
HeapAlloc, xrefs: 00007FF61865F2D6
wReserved, xrefs: 00007FF61865E026
pdispVal, xrefs: 00007FF61865E308
GetTypeInfoCount, xrefs: 00007FF61865FF85
:state, xrefs: 00007FF618661E0E
GetSize, xrefs: 00007FF6186611BF
cVal, xrefs: 00007FF61865E0D7
GetThreadContext, xrefs: 00007FF61865F2A2
counter, xrefs: 00007FF61865DAB3
SetConsoleOutputCP, xrefs: 00007FF61865E845
zonedTimeFromTimeImpl, xrefs: 00007FF61865DC7B

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: signal$memcpy$AddressProcexit
String ID: :state$AddRef$CLRCreateInstance$CoInitialize$CreateProcessW$CreateToolhelp32Snapshot$DispGetIDsOfNames$Field0$Field1$Field2$GetCommandLineW$GetCurrentProcess$GetCurrentThread$GetField$GetFieldNames$GetFieldNoCopy$GetFileAttributesW$GetForegroundWindow$GetGuid$GetIDsOfNames$GetModuleFileNameW$GetName$GetProcAddress$GetProcessHeap$GetSize$GetThreadContext$GetTypeInfo$GetTypeInfoCount$GetWindowThreadProcessId$HeapAlloc$HeapCreate$Hi32$InitializeProcThreadAttributeList$Invoke$IsEqualGUID$IsMatchingType$Lo32$Lo64$LoadLibraryA$Mid32$MultiByteToWideChar$NtFlushInstructionCache4$OpenProcess$PutField$PutFieldNoCopy$QueryInterface$RecordClear$RecordCopy$RecordCreate$RecordCreateCopy$RecordDestroy$RecordInit$Release$ResumeThread$RtlGetVersion$SafeArrayCreate$SafeArrayPutElement$SetConsoleCP$SetConsoleOutputCP$SysAllocString$SysFreeString$SysStringLen$Thread32First$Thread32Next$UpdateProcThreadAttribute$VariantClear$VariantCopy$WaitForSingleObject$WideCharToMultiByte$bCryptGenRandom$bVal$boolVal$bstrVal$byref$cDims$cElements$cLocks$cVal$cbElements$cipher$coresCount$counter$cyVal$data$date$dblVal$dctx6$decVal$fFeatures$filename$fltVal$hIntel$hresult$iVal$int64$intVal$key5$lLbound$lVal$line$llVal$lpVtbl$lstrlenW$msg$name$pRecInfo$parent$parray$pbVal$pboolVal$pbstrVal$pcVal$pcyVal$pdate$pdblVal$pdecVal$pdispVal$pfltVal$piVal$pintVal$plVal$pllVal$pparray$ppdispVal$ppunkVal$procname$pscode$puiVal$puintVal$pulVal$pullVal$punkVal$pvData$pvRecord$pvarVal$queryIdleProcessorCycleTime$queryProcessCycleTime$queryUnbiasedInterruptTime$raw$remoteProcID2$rgsabound$scale$scode$sign$signscale$skey$struct1$tProcess1$trace$treadHandle3$uiVal$uintVal$ulVal$ullVal$union1$union2$wReserved$wReserved1$wReserved2$wReserved3$zonedTimeFromAdjTimeImpl$zonedTimeFromTimeImpl
API String ID: 1418167214-113516584
Opcode ID: 15dc9790d4c75831ed325ac1702396702ec7717f66dea5cc2fa71ba48d86f2b3
Instruction ID: 554a51feb9eeb01c70336332dbbe2f894c7b6adc596a80c6cfaec3c5fd1d7a15
Opcode Fuzzy Hash: 15dc9790d4c75831ed325ac1702396702ec7717f66dea5cc2fa71ba48d86f2b3
Instruction Fuzzy Hash: AA930E21C1CED295F7128B38A4653F573A1AFA1B28F005335C98C96665EF7EF149E388

Function 00007FF61864A740 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 297
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF6186466C7
Part of subcall function 00007FF618646670: MultiByteToWideChar.KERNEL32 ref: 00007FF61864672A

SysAllocString.OLEAUT32 ref: 00007FF61864A77F
_setjmp.MSVCRT ref: 00007FF61864A7D6
CoInitialize.OLE32 ref: 00007FF61864A8BB
SysFreeString.OLEAUT32 ref: 00007FF61864A946
memcpy.MSVCRT ref: 00007FF61864AA0C
CoInitialize.OLE32 ref: 00007FF61864AA43
SafeArrayCreate.OLEAUT32 ref: 00007FF61864AAC9
SafeArrayPutElement.OLEAUT32 ref: 00007FF61864AAFA

Strings

r: , xrefs: 00007FF61864A9F6
toVariant, xrefs: 00007FF61864ACCE
specifi, xrefs: 00007FF61864A9C3
ed membe, xrefs: 00007FF61864A9D1
com.nim, xrefs: 00007FF61864ACC7
unable t, xrefs: 00007FF61864A9B5
o invoke, xrefs: 00007FF61864A97F
VariantConversionError, xrefs: 00007FF61864AC66, 00007FF61864ACE1

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ArrayByteCharInitializeMultiSafeStringWide$AllocCreateElementFree_setjmpmemcpy
String ID: specifi$VariantConversionError$com.nim$ed membe$o invoke$r: $toVariant$unable t
API String ID: 4234589578-1707675
Opcode ID: df58db6be012ea270ca5ee00f32570b053bba1f68944712e992e1bbd43113879
Instruction ID: 614af9e660fa2ae3b09c696be37adc0d243dcbc001854506f409226d34ca3a12
Opcode Fuzzy Hash: df58db6be012ea270ca5ee00f32570b053bba1f68944712e992e1bbd43113879
Instruction Fuzzy Hash: 73F16D32A09F8691EB208B25F4A43AE73A0FB94F90F544139DA8D87795DF7CD444D788

Function 00007FF618648C30 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fileno.MSVCRT ref: 00007FF618648C4D
_setmode.MSVCRT ref: 00007FF618648C5E
_fileno.MSVCRT ref: 00007FF618648C6A
_setmode.MSVCRT ref: 00007FF618648C74
_fileno.MSVCRT ref: 00007FF618648C80
_setmode.MSVCRT ref: 00007FF618648C8A
SetConsoleOutputCP.KERNEL32 ref: 00007FF618648C91
SetConsoleCP.KERNEL32 ref: 00007FF618648C9C
LoadLibraryA.KERNEL32 ref: 00007FF618648CA9
GetProcAddress.KERNEL32 ref: 00007FF618648CBE
CoInitialize.OLE32 ref: 00007FF618648E5B

Strings

Ws2_32.dll, xrefs: 00007FF618648CA2
inet_ntop, xrefs: 00007FF618648CB7

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _fileno_setmode$Console$AddressInitializeLibraryLoadOutputProc
String ID: Ws2_32.dll$inet_ntop
API String ID: 1755878316-2739477577
Opcode ID: 1986d8a1d44493f4ea220e76b038f6538c9eb1048286d2816647634d0045ad1a
Instruction ID: 864431bc3caf7dbc7822a435dff43cc953624673271bf1beb103368e20c25648
Opcode Fuzzy Hash: 1986d8a1d44493f4ea220e76b038f6538c9eb1048286d2816647634d0045ad1a
Instruction Fuzzy Hash: 96913731A19F1681EB449B64F82837C67A1FB94FA0F840135DA8D83794DF7CE855E788

Function 00007FF618642260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF618641DB0: strlen.MSVCRT ref: 00007FF618641DC1
Part of subcall function 00007FF618641DB0: fwrite.MSVCRT ref: 00007FF618641DD4

exit.MSVCRT(?,?,?,?,00007FF618642365,?,?,?,?,00007FF6186F6128,?,3F000000,0000025908928060,00007FF618642D1D), ref: 00007FF618642283
VirtualAlloc.KERNEL32 ref: 00007FF618642313
VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Strings

out of memory, xrefs: 00007FF61864226F

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual$exitfwritestrlen
String ID: out of memory
API String ID: 4248889879-49810860
Opcode ID: 8f4efc17e4d4406187837a353f8bf2edd9edcfca3123a05e085200c912c04911
Instruction ID: 4101c6b4d47ea2220483c63e6e0d2144e11eccfb5b26fe57d0494d387376e551
Opcode Fuzzy Hash: 8f4efc17e4d4406187837a353f8bf2edd9edcfca3123a05e085200c912c04911
Instruction Fuzzy Hash: 5E218932B05F8182EB188B29E5583AEA7A0E748BE0F548235CB6D873C1CF3DE495D344

Function 00007FF848E607D0 Relevance: 4.0, Strings: 3, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:CH, xrefs: 00007FF848E61313
:CH, xrefs: 00007FF848E61333
gfff, xrefs: 00007FF848E61408

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: :CH$:CH$gfff
API String ID: 0-3902490275
Opcode ID: b65f5727c6d8f626c3dcc003cd786b49a115a6ae2ce3621aecb021ccb63fd2fc
Instruction ID: 028182b0757772ae23d86175913238ef9a5ceae5eb89c4958c23de21663428e6
Opcode Fuzzy Hash: b65f5727c6d8f626c3dcc003cd786b49a115a6ae2ce3621aecb021ccb63fd2fc
Instruction Fuzzy Hash: 1C813921E1D94A4FE75EEA3C84512B4B7D2FF94780F5441BAD04EC729ADF39B8424385

Function 00007FF618642290 Relevance: 3.9, APIs: 3, Instructions: 153
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF618642313
VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 61b36df273f6b85ec4401ed97c8b4a5ba5ce742697c2d4847c6fd4114e6972b1
Instruction ID: 2f70b944df992ffb1371c0cca6f670507ffda02558da083a2d958fe8d24f6050
Opcode Fuzzy Hash: 61b36df273f6b85ec4401ed97c8b4a5ba5ce742697c2d4847c6fd4114e6972b1
Instruction Fuzzy Hash: E8519E32705B8580EB198B29E4683AD67A0EB89FE4F688135DE5D8B3C5DF39E085D344

Function 00007FF61864BB80 Relevance: 3.9, APIs: 3, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF61864BC81
memcpy.MSVCRT ref: 00007FF61864BCA2
memcpy.MSVCRT ref: 00007FF61864BD8F

Part of subcall function 00007FF618643F10: memset.MSVCRT ref: 00007FF618643FA2

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 3b4c29ced6fc8eeeec82797927dfcd0c7633041d78cfa8070d8ed1b799edb56f
Instruction ID: 46969cec201093a4b8882caac8b36324a50f65ccc6ef379bbc8e328f9a740e8b
Opcode Fuzzy Hash: 3b4c29ced6fc8eeeec82797927dfcd0c7633041d78cfa8070d8ed1b799edb56f
Instruction Fuzzy Hash: E351AC72609F8582EB60DB65E4503AD77A0FB84F98F858532DA8C87795EF3CD408D384

Function 00007FF618645B50 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF618645C93

Strings

ReraiseDefect, xrefs: 00007FF618645BB0

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: ReraiseDefect
API String ID: 3510742995-3378185472
Opcode ID: 7c9cd1653c2dd4753b55a6b8421e778c657948852e18861a3f90cb9161839ba5
Instruction ID: 2b83dc9c2756f8405541835e8a65b5133f6bb17ca8e55686c59d7b2bd7bf20e4
Opcode Fuzzy Hash: 7c9cd1653c2dd4753b55a6b8421e778c657948852e18861a3f90cb9161839ba5
Instruction Fuzzy Hash: 28310092E09E8681EF049B6480153FE6361AF85FA8F84C336EE1C877D5DE2DE0419384

Function 00007FF848E605F0 Relevance: 3.0, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

:CH, xrefs: 00007FF848E6115E
H, xrefs: 00007FF848E60EDF

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: :CH$H
API String ID: 0-1765256081
Opcode ID: 64104eb0b1777079da7a236120d3564e7abc859b8adbe75906c034170702bc19
Instruction ID: 89b1982e87d3b94b9449494d8073067f6af43ee389b28ce0bbc23205a8dccecc
Opcode Fuzzy Hash: 64104eb0b1777079da7a236120d3564e7abc859b8adbe75906c034170702bc19
Instruction Fuzzy Hash: E7D15622E1DD8A5FE799FB3844562B663D1FF95690F4841BAD00ED31C7EE2CB8028346

Function 00007FF848E6B8FA Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

kN_H, xrefs: 00007FF848E6B9EF
jN_H, xrefs: 00007FF848E6BA73

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: jN_H$kN_H
API String ID: 0-3263368993
Opcode ID: fed9bb0af1827c2001ccc6e23a2c1822930854dc535544baf9e01f7fd4318cfe
Instruction ID: a9b060bc59a822852f8fe96026ffa4b9fc9cbefdee0585073e7e0b6feb4e89ee
Opcode Fuzzy Hash: fed9bb0af1827c2001ccc6e23a2c1822930854dc535544baf9e01f7fd4318cfe
Instruction Fuzzy Hash: 39812861A0DAC56FE719A37854562F9BFE0FF963A4F5800FEC0898B193CD2868478355

Function 00007FF618642370 Relevance: 2.6, APIs: 2, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6186423CD

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4ce8db57e7ee0f556b2e6a54c5ee9ec679398d8325481f7e710a92328de204db
Instruction ID: 526f7d5f4271846ed2cf437e98c257e43d4d5a4b2829445c42f588c5959ee3c6
Opcode Fuzzy Hash: 4ce8db57e7ee0f556b2e6a54c5ee9ec679398d8325481f7e710a92328de204db
Instruction Fuzzy Hash: 02517F72706F8580EF199B25D8683AD27A1EB94FD4F688536DE0D4B384EE39E441D344

Function 00007FF61864ADB0 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF61864AE48

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmp
String ID:
API String ID: 3051281561-0
Opcode ID: cab75eb36988222bcd097d8e06d6b7df367d0e1f3e54dad1592f0bc6b84a2da2
Instruction ID: f90fcd3324273921fea2af71e93cfc1a2797e7c52ed73f4012ea890a10788eae
Opcode Fuzzy Hash: cab75eb36988222bcd097d8e06d6b7df367d0e1f3e54dad1592f0bc6b84a2da2
Instruction Fuzzy Hash: A0712A36609F8681EB619B24F0603AE73A0FBD4B94F504136DA8D83B68DF3DD444DB84

Function 00007FF61864DDD0 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF61864DE5A

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ce9684a7bcbf9374ec5cca18138e3e32ea178d5a1363495608cb7d33c7bc0b15
Instruction ID: 4decb3bb6b1a03e798e6dfb67e9d50b3a62b89e5eb224c6f70a9b630da1347db
Opcode Fuzzy Hash: ce9684a7bcbf9374ec5cca18138e3e32ea178d5a1363495608cb7d33c7bc0b15
Instruction Fuzzy Hash: 83319CA2B04E1681EB14DF2AC49866D2765FBA4FE8F454536CE2D833D0DF38D880E384

Function 00007FF61864E630 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF61864E69E

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmp
String ID:
API String ID: 3051281561-0
Opcode ID: 7f1ee1402874eb9ab1b3ada440b1831695bc8974bc0591d5c60109507bdbe239
Instruction ID: 9046bbb7f5a0bbd12ac5ba8f5653b401285393d7475a38812d642f7544d09b8e
Opcode Fuzzy Hash: 7f1ee1402874eb9ab1b3ada440b1831695bc8974bc0591d5c60109507bdbe239
Instruction Fuzzy Hash: FE41FB7A608F8680EB619B26E4643AE73A1FBC4FA4F508026DA8D87758DF3CD445D744

Function 00007FF848E63EFA Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

N_H, xrefs: 00007FF848E64074

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: N_H
API String ID: 0-343878021
Opcode ID: 7470775701e882115dce53669ff2f62610f997c98a512e622ea3e2745885b241
Instruction ID: bc573e5068a2162b47a01cbfee495e9544ff57bb80613923fd140bd2ca9da881
Opcode Fuzzy Hash: 7470775701e882115dce53669ff2f62610f997c98a512e622ea3e2745885b241
Instruction Fuzzy Hash: B581F3A294DAC92FE306B7B8A8665E93FA0EF16260F4C01FBC089CF193DD1C64478355

Function 00007FF848E606A0 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

:CH, xrefs: 00007FF848E6115E

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: :CH
API String ID: 0-1644320485
Opcode ID: ca4d5919d173eea7fbebc4d006a59857e8e3f8e2b5f4573edee4388d97df41b4
Instruction ID: 14894fdd142945e8451d96d1e81314a30422884d7651f0d7582116c5b23f6966
Opcode Fuzzy Hash: ca4d5919d173eea7fbebc4d006a59857e8e3f8e2b5f4573edee4388d97df41b4
Instruction Fuzzy Hash: 79610762D1CD8A6EEA89FB3884516F6A391FF95350F4842BAC00EC3187EE2DB4018756

Function 00007FF848E61048 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

:CH, xrefs: 00007FF848E6115E

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: :CH
API String ID: 0-1644320485
Opcode ID: 62f6021c5f0016c0c63bda04708ca10851ba33afbb9415c11bb13bc9d7978636
Instruction ID: 5503e61c548de13023a53420211680fb5e43a20aced468222649dc7fb4c5f5e1
Opcode Fuzzy Hash: 62f6021c5f0016c0c63bda04708ca10851ba33afbb9415c11bb13bc9d7978636
Instruction Fuzzy Hash: 4561D662D1CD8A6EEA89FB3884516F5A391FFA5354F4842BAC00EC3187EF3DB4418756

Function 00007FF618642EA0 Relevance: 1.4, APIs: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF618642FB1

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ac8151efdcba9275be8dd78e271329b85aaca815e783dbc8375432938e4aa9c
Instruction ID: 8d15e2b8716389fc2c1176eb5a4d467be44704e8015ca64d6d5ef8829de05730
Opcode Fuzzy Hash: 3ac8151efdcba9275be8dd78e271329b85aaca815e783dbc8375432938e4aa9c
Instruction Fuzzy Hash: 4B61CD72A05F4290EB198B25E5143AD63A0FF84FA4F288235DA5D87798EF38E4D0D394

Function 00007FF848E60E65 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848E60EDF

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1145064cc1cfdf6cac46ce9c4bd19679affac1bd0ec7f4ee83618833ed403596
Instruction ID: 2bc00d574383d68e80969c9ad5cbe71b6fd1320cb670828de57306d6ac070872
Opcode Fuzzy Hash: 1145064cc1cfdf6cac46ce9c4bd19679affac1bd0ec7f4ee83618833ed403596
Instruction Fuzzy Hash: 85411921F1CAA90FE79DB63C185527D67C2FFD5691F4401BED04EE32D3DE2868064249

Function 00007FF848E61391 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF848E61408

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: c3627a63b167688e9a2019d6972ebccb043429fd377630941a17068e6354bf60
Instruction ID: 3c75e3f1bfc4214e89589a0cb903bf01cda773a40f63d1121112fa71bca99598
Opcode Fuzzy Hash: c3627a63b167688e9a2019d6972ebccb043429fd377630941a17068e6354bf60
Instruction Fuzzy Hash: 44213E21B2D55A0FE30DE93D5C8517876C6FBC9341B58827AE18ACB3D7ED25FC068284

Function 00007FF848E60AD2 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848E60B19

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 47f4cedb195713c86ce7199a79c1ecab1d20451993aca334b23da8f9b82e3314
Instruction ID: 4db05c5bac3d76843d30fd6251cddb811790c55dad5715b454a9e3b189943c8e
Opcode Fuzzy Hash: 47f4cedb195713c86ce7199a79c1ecab1d20451993aca334b23da8f9b82e3314
Instruction Fuzzy Hash: C7317C30E199596FEB85FBA8D855AFDB7A1FF58394F4840B9E04DE7182CF286801CB44

Function 00007FF848E606D0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF848E61408

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 782d9dac9c861334a64c08f39a3c147765258380bbf50dae20586cdebe8f4fff
Instruction ID: 1599a924036dcf01a89345a88c0ecd4de8e8fc443547e6299c94cc004d311b83
Opcode Fuzzy Hash: 782d9dac9c861334a64c08f39a3c147765258380bbf50dae20586cdebe8f4fff
Instruction Fuzzy Hash: EE214921B2D96A0FD30DA92D5C8107876C6FBC9341B98823EE18BDB3D6ED25FC028184

Function 00007FF618643F10 Relevance: 1.3, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF618643FA2

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c6be985e4542501d5b7f04d0f4c62c4646fcfcc369a67ada8d91d0a5f580c3bf
Instruction ID: 05fc0dd66cacc1dfc6aff751a3974e786029c3328441cdbd6d044bea2aeb5488
Opcode Fuzzy Hash: c6be985e4542501d5b7f04d0f4c62c4646fcfcc369a67ada8d91d0a5f580c3bf
Instruction Fuzzy Hash: 15412AB6A08E4690EB44CF75D6606BC7365EB98FB0F940233DA1D83790DF39D8999384

Function 00007FF848E6FD92 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848E6FE1C

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 0bfa2eb741fd3151fcec69629a2a9c89d596dbcc8e12acc2ab54bf3b8d09b751
Instruction ID: e185d2fd82f7765bfcf98cf8315b19a458c4e7fe0ea8a0d88060598cc165d813
Opcode Fuzzy Hash: 0bfa2eb741fd3151fcec69629a2a9c89d596dbcc8e12acc2ab54bf3b8d09b751
Instruction Fuzzy Hash: 8731C32090E6C19FE30AE7B864AA4A97FB0DF5726075C48EEC0C59F1E3CD286517C356

Function 00007FF848E670AD Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848E670E9

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 54f238750f88042c55d2854e012d955df2d9bded087e0256104679ca71df11be
Instruction ID: b02456b4a0ca39b45233f2b72614b2973a97c25f4afb4cdad00b87e533f93408
Opcode Fuzzy Hash: 54f238750f88042c55d2854e012d955df2d9bded087e0256104679ca71df11be
Instruction Fuzzy Hash: 9221D751A4EDC65FE38AA37818261F86F90EF56250B8C05FFC049CB1E7DE1D28528356

Function 00007FF848E670C0 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848E670E9

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 794fd0f47898bbdf5c635985a53c9e3a770c1b3da60d843e492bf876108026bc
Instruction ID: 83c4d9d4369932b14a46c077a7e7a0fbe90abd2c59a7870f188e15f18425063b
Opcode Fuzzy Hash: 794fd0f47898bbdf5c635985a53c9e3a770c1b3da60d843e492bf876108026bc
Instruction Fuzzy Hash: 9211D651A4EDC61FE38AB37C14261F96BD1EF56250B8805FED449CB1D7DE1C28528345

Function 00007FF848E6F4A9 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe28700fff6afd2f040eb451eb2fec8bbcc1a5d05bd8bff150ecf9342237266
Instruction ID: 4327bf444b7a56ae889656fc58ba1f4ff1e4504078de5e321b918f150d422750
Opcode Fuzzy Hash: dbe28700fff6afd2f040eb451eb2fec8bbcc1a5d05bd8bff150ecf9342237266
Instruction Fuzzy Hash: 1222923090DA8D8FDB85EF68C455EA97BE1FF69350F5801DDD449DB2A2CA38E846CB40

Function 00007FF848E68280 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c0bc6745aae3a646b77b2ec006164e51ba0b05ad5ddc6d29faae5987151a8f
Instruction ID: b0bae904ea7941dbac53187ad4a970b5a41ce0e5fe9560ed24854a4a8a9ce43f
Opcode Fuzzy Hash: 43c0bc6745aae3a646b77b2ec006164e51ba0b05ad5ddc6d29faae5987151a8f
Instruction Fuzzy Hash: 34B14853E0EDA25FE218766CB8551F96B90FF417A1F4841BBC18DC71C7DE28A80B8399

Function 00007FF848E70501 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c53830348b8a818f2d4b5763c4d9a4c0df607df0d9e766bc4cfb51d43b7c516
Instruction ID: afd8984f4351687f02929bdf38b8baede221caea422eb2763b049c19f8848838
Opcode Fuzzy Hash: 6c53830348b8a818f2d4b5763c4d9a4c0df607df0d9e766bc4cfb51d43b7c516
Instruction Fuzzy Hash: F1713732E1DE4A5EE769B65864162B877D1FF95360F04027FD44FC35C2EF29B802428A

Function 00007FF848E606C8 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef39ae5521e23b39fae7ff963df8d79a88a5d62dd815796422a76e8aa242075
Instruction ID: 586690e89fe9b3da9f3e5bf3f10568e2e09e1d25876976230e2dae996ecf8747
Opcode Fuzzy Hash: 7ef39ae5521e23b39fae7ff963df8d79a88a5d62dd815796422a76e8aa242075
Instruction Fuzzy Hash: 48819E3091CA0A4FE75CEA18C4818B573A1FFA4354FA04A7DD49B97686DB36F843CB84

Function 00007FF848E606C0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbd87cb1d468df5307d0c7e1625c34fa8531bb41bacda9f7e11e6db69801dae
Instruction ID: b6c94d26866160380e036858ccdbbdb0c3a668d328a34feede79cf327b37102e
Opcode Fuzzy Hash: 6bbd87cb1d468df5307d0c7e1625c34fa8531bb41bacda9f7e11e6db69801dae
Instruction Fuzzy Hash: F171CB7061CA0A8FE369EF28D4849B177A1FF94344F9105BDC44AD76A2DB35B842CB48

Function 00007FF848E6B548 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5887aa0692084b4dd23ef692308c38e17b95b02e05693a4e9f74a88f4a30dd
Instruction ID: 9f5eac828e01031a9e5c3367f2deff9547f96771897790c6340eb342cf01dd0d
Opcode Fuzzy Hash: 3b5887aa0692084b4dd23ef692308c38e17b95b02e05693a4e9f74a88f4a30dd
Instruction Fuzzy Hash: 34513B62D0EAD15FE31AB77868291F57FA1FF51650F4C40FBC0888B0D3EA186909835A

Function 00007FF848E6A890 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e19c8cd14cb0b5612a1ecf09429e148a6ce70073e1fc8d80a15bc36ea97ce2
Instruction ID: 34dad3af50dbd169c65682478b932479f61f99789e0101e2a7de37a53b5d6984
Opcode Fuzzy Hash: 45e19c8cd14cb0b5612a1ecf09429e148a6ce70073e1fc8d80a15bc36ea97ce2
Instruction Fuzzy Hash: 42414821E0E9D69FE359B77C28551B8BB90FF52260F9801FFD049D7083EE1C68568395

Function 00007FF848E674D3 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c968d37c46a13fcbddb1b3bd49421ad2b5481655a5eb28e3248be693ada27859
Instruction ID: ebc3544f0be115c21ad304ab2ec9f6c98462f8daa4814f19d8e9a9f397302170
Opcode Fuzzy Hash: c968d37c46a13fcbddb1b3bd49421ad2b5481655a5eb28e3248be693ada27859
Instruction Fuzzy Hash: 8E41B03091EA8A8FDB89FF28C451AAA7BA1FF55340F4405BAD409C7196DF38E845CB91

Function 00007FF848E6DA1E Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ab58752b96fc71105608b34674a461b0f748605b46cbd1722ee20bfaf1e575
Instruction ID: 7c93bb65c85a975e89dd82b01170237c61f3158b5610c4f5b23c11b1de0be392
Opcode Fuzzy Hash: 07ab58752b96fc71105608b34674a461b0f748605b46cbd1722ee20bfaf1e575
Instruction Fuzzy Hash: 70416C3050DAC55FD71AEB388C59A617FA4EF43264B5902FBD088CB1E3DE24AC46C761

Function 00007FF848E6E5E5 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c3fc4c55356323d6826c0e0c91b46fc9e693752ff0577eea7b86c105778081
Instruction ID: e2277dbf3478911e52c07784de8bd392844657015ad160424085db862c776358
Opcode Fuzzy Hash: e9c3fc4c55356323d6826c0e0c91b46fc9e693752ff0577eea7b86c105778081
Instruction Fuzzy Hash: 04317B22A1EED10FD35AA36C58556BA7BE0EF5A760F1801FFD049C71D3DD18A8068395

Function 00007FF848E604B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b546c2722deebaf9929495927e5f9e3fdf2fc12b0011cd39f9890b4e6447c21
Instruction ID: eb23778dd026581824817a0aedfbbf737aaf8ad9a164af53cee94cb8f62a1b99
Opcode Fuzzy Hash: 8b546c2722deebaf9929495927e5f9e3fdf2fc12b0011cd39f9890b4e6447c21
Instruction Fuzzy Hash: 3831BC31B18C194FEBA4FB3C90987B8A3C1FB98651F5502BAD40DD729ADE28EC818740

Function 00007FF848E68FB0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b69ecf899ec428525f5bf928ec496b0223359ef45a8f6f8ee9bbf7c405e48da
Instruction ID: 900c44debfef73ac4da6b1008e8b9dd3f3474730e84ad5800d375537e0a92bc3
Opcode Fuzzy Hash: 6b69ecf899ec428525f5bf928ec496b0223359ef45a8f6f8ee9bbf7c405e48da
Instruction Fuzzy Hash: D5217722A1DDD10FE259A32C64196FA7BD0EF5A7A0F5801BFD04AC72D6CD18A80783C5

Function 00007FF848E6FC9F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009e8c953c35e56d51d6cc3da741c070c714f66eab737db96680abc37c521ca3
Instruction ID: bd80720983a1fe37da2fb665b08eb920e370d405521e3829ef49f59e4fedeb33
Opcode Fuzzy Hash: 009e8c953c35e56d51d6cc3da741c070c714f66eab737db96680abc37c521ca3
Instruction Fuzzy Hash: F431393184E6CE2FD702BBB458151E9BFE4EF47250F4801FBD889CB0A3CA2C255A8351

Function 00007FF848E685C1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c833f53d61a8392e3e043ca2b746721463e7c2cfafe139b56c5f3b061a3933f5
Instruction ID: 77d5e082a2dcfba2789e2b56e4b2287ec4c39faab26b1bdbc6aa475b39afce33
Opcode Fuzzy Hash: c833f53d61a8392e3e043ca2b746721463e7c2cfafe139b56c5f3b061a3933f5
Instruction Fuzzy Hash: 0631D12180E6D55FE707673818255A97FB1EF53280F8D05FBD0D8CB093DA2C680A839A

Function 00007FF848E6E161 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0de9938051ad76138f410972a8a2b341a424d5182f35e003d2f62e29c03461f
Instruction ID: ddf0c0a711d462e8fc67e403e3aefb6184ef32c8c82d472a94df6fff46b1a24c
Opcode Fuzzy Hash: e0de9938051ad76138f410972a8a2b341a424d5182f35e003d2f62e29c03461f
Instruction Fuzzy Hash: 4831A03050AEC55FE746E77440297EABBE1EF26300F5808EDC08ACB1A3DB78A446C745

Function 00007FF848E66B20 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0766af3705b1c6a3f6bdf38b1f5b5dfa78df5ae8a7cbae7f4b79a0c105d0d5c
Instruction ID: c1ccfe69f662d6dab5146e9a330eb0fda7919a6867a7a1e8ce2248b9f00810fd
Opcode Fuzzy Hash: d0766af3705b1c6a3f6bdf38b1f5b5dfa78df5ae8a7cbae7f4b79a0c105d0d5c
Instruction Fuzzy Hash: BF11D661D1DACD9FE346AB7868190F97FA0FF56241F4804FBD049DB1E3DE2828468352

Function 00007FF848E70135 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29caa92188e203125ea20b66304023ecc7818250f957311753c727894eda898
Instruction ID: 0a0d86f120d2bb20a6e9e82f07baab9f17908fa366fbf2a5fdecbaf177ae1f91
Opcode Fuzzy Hash: c29caa92188e203125ea20b66304023ecc7818250f957311753c727894eda898
Instruction Fuzzy Hash: 3E115E3148E6D99FC3429BB49C249D63FB4EF8B25070A01E7E089CB5A3C95D8D5AC762

Function 00007FF848E70EED Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb763415e00a9848245e2d5b7193029e3ca06602021bcb00a632f0e0a4259d8
Instruction ID: 06c0d8ba44e1cb7218a2063b57da951ed0c47195028b31eccb09721dca5efad7
Opcode Fuzzy Hash: 5fb763415e00a9848245e2d5b7193029e3ca06602021bcb00a632f0e0a4259d8
Instruction Fuzzy Hash: 2D014C21C1EEC61FD39A737854592B2BFE0FF566A0F4801FAC0898B093DA1C5884C341

Function 00007FF848E60845 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec8788d947d6e474a65ec43657c57ffe01ad62f7007451ff12d8c1c2306723d
Instruction ID: 87f9d3afe5626f4be50ee569d012f6a58c0990d8c43a823ec146a321dc5bbb6d
Opcode Fuzzy Hash: 6ec8788d947d6e474a65ec43657c57ffe01ad62f7007451ff12d8c1c2306723d
Instruction Fuzzy Hash: 48012D6348E5E62FD706B23CA8A10F57F90FF02168F4C50B3E0888D093DF18205A82D9

Function 00007FF848E6FA9D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd32b6648ff62198f13178d3f06c3eb110fd9fcd9746cf6320a985a08b4545ab
Instruction ID: 55b4629f638b2dcd5ec1fe86ca3afa362eec18fb122f95d0f873aaf3f208d241
Opcode Fuzzy Hash: dd32b6648ff62198f13178d3f06c3eb110fd9fcd9746cf6320a985a08b4545ab
Instruction Fuzzy Hash: 9D01D47188E2C14FC71AA73458168E23FA4FF03366F4D01EAD488DB4A3C62EA646C352

Function 00007FF848E6FE8C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df640bb8fde4b68ce846e99404927320c11076f6b66372bd5c3f59330f74e756
Instruction ID: e3c8a430bd9c4b378ca2df46ec90b5f3494135e90987da50561b30a4decae1c3
Opcode Fuzzy Hash: df640bb8fde4b68ce846e99404927320c11076f6b66372bd5c3f59330f74e756
Instruction Fuzzy Hash: 28119E1040E7C15FE31BABB819A61A97FA0DF17664B9C08DED0C58F1A3C91C646BD362

Function 00007FF848E6873C Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25297bfd928b74b9bbefb519916b360c921faef89a24edc14c59c7ad514d947f
Instruction ID: 833e26b9b26ca71e3c0e5c279271a3d9753c18b20765ac0e23aedb0e5ea8b9f0
Opcode Fuzzy Hash: 25297bfd928b74b9bbefb519916b360c921faef89a24edc14c59c7ad514d947f
Instruction Fuzzy Hash: 7A01A712F1DD5A1FE6D9A52C181523852D2FFC41B1F9811B7D80DD329AEE28BC465308

Function 00007FF848E6FB09 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8359cd4a7af3ae3f26d1721d5c39f147a21b970ad6804e82d586f54e80078c74
Instruction ID: 30f6dca323f2ce27f35c762d78ab01d442dc9ac16b96e26726bedd4e8f4973a9
Opcode Fuzzy Hash: 8359cd4a7af3ae3f26d1721d5c39f147a21b970ad6804e82d586f54e80078c74
Instruction Fuzzy Hash: AB01B53094DB894FD746A72898291A97FF0FF16201B4800EBD449DB1A3DA295845C782

Function 00007FF848E6A9E9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731b94b15eabf27fae29e835d412bb3e090f2300e133e356216ff7187c97bd8c
Instruction ID: 1c11370b1beb0fb8806ee8c85996b8914a707125378f697a2deef35013523805
Opcode Fuzzy Hash: 731b94b15eabf27fae29e835d412bb3e090f2300e133e356216ff7187c97bd8c
Instruction Fuzzy Hash: 7B01F73180EACC5FDB53B3B854260EA7FB0EF16260B4801EBD488CF053DA289496C3C1

Function 00007FF848E674D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2765235bed80fe0b5577fe1c643320a16d3c24d04ca56306872b116a578fd141
Instruction ID: ef1e3f4c75c10515ed464950e2b4efb5dc52eb365141d9eb3d46f52abb42b279
Opcode Fuzzy Hash: 2765235bed80fe0b5577fe1c643320a16d3c24d04ca56306872b116a578fd141
Instruction Fuzzy Hash: 6811A53040FBCE4FDB46EF3898515A93F60FF12340B48059AD448CB192D7289805C791

Function 00007FF848E70060 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f0151ae55bcdca45d3b791c7d4b7c1afcb12cb8afb6695aca872c9c4e6f6ee
Instruction ID: ae6113f6a620f7c9702f5b11e02a8188f225d4aed484d45535c220449dac5238
Opcode Fuzzy Hash: 49f0151ae55bcdca45d3b791c7d4b7c1afcb12cb8afb6695aca872c9c4e6f6ee
Instruction Fuzzy Hash: 3F012131D0C90F9EEB64BAA458212FA76A0FF423E1F044577D80CC31C1DF78A99482C6

Function 00007FF848E606A8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ca284384249cc416e3d6ae6889ee9bbc70356aaf7ff6ff039f52cfe67355f6
Instruction ID: ff74e814c4987c5315e311990b005ba23cb643f28fcd055cbaab4291c73c7b0e
Opcode Fuzzy Hash: 41ca284384249cc416e3d6ae6889ee9bbc70356aaf7ff6ff039f52cfe67355f6
Instruction Fuzzy Hash: 53017531E0C5069FD7559E299040365B7E2FF94390FA0827BD01E9B659DB36F8838BC5

Function 00007FF848E609ED Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bf991113e6f6552fc509c25fbe0992d80717ac53a0f9768335f886a1b7a402
Instruction ID: 612e3dd2ec4f43b0476035722182ef63298f2ac57e982a934f054ec429cca623
Opcode Fuzzy Hash: a6bf991113e6f6552fc509c25fbe0992d80717ac53a0f9768335f886a1b7a402
Instruction Fuzzy Hash: 8CF05912E0E9950FE369763824591B42FD0EF9A16178902EBC008DB1A2DC595C824345

Function 00007FF848E62560 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cafaa4df65622ad176f7df5f4f2c327bcefee00ba03353e601a885a3dc1c29a
Instruction ID: b8d02365f3fab4054e46c6d56fd02b65a486f60c9de0695e9b9f1f82cde2393c
Opcode Fuzzy Hash: 3cafaa4df65622ad176f7df5f4f2c327bcefee00ba03353e601a885a3dc1c29a
Instruction Fuzzy Hash: DFF03030A14B098FDBB8EE2DE494962B3F0FB1C3107010A6DE49BC3695E724FC858B85

Function 00007FF848E674B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fc6b54ebd047dc307c9487142cd1b0103378737318eb8b7e8a0f55befa4cfd
Instruction ID: 24eab0915db46c793853da44466fdeb0eb666f7a8b7ebc7ee10259eb5454639c
Opcode Fuzzy Hash: d8fc6b54ebd047dc307c9487142cd1b0103378737318eb8b7e8a0f55befa4cfd
Instruction Fuzzy Hash: 7EF0E53190C80DEFCB94F76898195E977A0FF09311F0111B7E40DD3155DB21AD808BC2

Function 00007FF848E612B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6344886b49c1f307d7fff2f5cbd5466087cfb3397970c49b042acb5fd4a396f
Instruction ID: ac834104020e904c864f03a931fcfd82b4db167e1792a3af3cdc74c04f6e1842
Opcode Fuzzy Hash: b6344886b49c1f307d7fff2f5cbd5466087cfb3397970c49b042acb5fd4a396f
Instruction Fuzzy Hash: 3FE0C221F08C1A0BE7ACE52CB0952F162C2EBD8354F4441BAD80DC3389FD69AC9257C0

Function 00007FF848E6A301 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ab5474237ecc6f91e9540abc99e06dc6a7b67699f3f0b0ffbfd04ac2e10ab7
Instruction ID: fa8b79b1ddbf1e03dbbda330987451617e0fb8e6af05172765d412e68edd17f3
Opcode Fuzzy Hash: 68ab5474237ecc6f91e9540abc99e06dc6a7b67699f3f0b0ffbfd04ac2e10ab7
Instruction Fuzzy Hash: D4E0861070DD44AFE748F37C54566ADF7D2EF55300F2840B9E049C72A3CD58A8418745

Function 00007FF848E6707B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfe51617f3e195c8103eda377797ecdcb82d6ab3f106cacfee4d2859816ab5
Instruction ID: 180ef84c8416992230c4adb27fca9928a0b2c343b24d7bf787d94ce135e243ae
Opcode Fuzzy Hash: b3bfe51617f3e195c8103eda377797ecdcb82d6ab3f106cacfee4d2859816ab5
Instruction Fuzzy Hash: A6E0C220A4DA478FE38576380C536A435D0AF46284F8900A9D448DB1E3DF6DE84A8227

Function 00007FF848E605A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f123deb4ca5d4b7a835b487b6f11099e4fc97e2e8958669cc19a28becfa418
Instruction ID: fb6988988cb737a13ddd563ec37e5ae4d0012b2227a071fdc7b81df4e7808629
Opcode Fuzzy Hash: 28f123deb4ca5d4b7a835b487b6f11099e4fc97e2e8958669cc19a28becfa418
Instruction Fuzzy Hash: 8BD02B11E2D8169FD628723C20120BC9150FF097C0F9000F5E05DD30C7ED082C4812D5

Function 00007FF848E6FC6B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e8f7a9508d943fd838041a2ce3d62d800ded088ab4fe0898eb970fc9ac58f7
Instruction ID: 102f2832b45bd19de66f0cf113c0012809232a5beee55b7f73d7fc2bafb45f90
Opcode Fuzzy Hash: f3e8f7a9508d943fd838041a2ce3d62d800ded088ab4fe0898eb970fc9ac58f7
Instruction Fuzzy Hash: 75D02B0171948C0FD705739450123EDB782DFD5610F4440F9C04DC72D6CD18141603C5

Function 00007FF848E6A339 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae5dce6489d73270b2540da320782655ec34e4b038c2fa3be2a4782175ae6ac
Instruction ID: 4008d0b8e39d9f1a9f844e5703ee2504d5416193fa4de6494d5e84884bab0fd7
Opcode Fuzzy Hash: 8ae5dce6489d73270b2540da320782655ec34e4b038c2fa3be2a4782175ae6ac
Instruction Fuzzy Hash: F1D05E00A5E9853FF20A73B814177AADB95DF55250F7855BDE0488B5D3CC0C58024256

Non-executed Functions

Function 00007FF6186499F0 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 373COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF618649ABC
SysFreeString.OLEAUT32 ref: 00007FF618649ADC
CoInitialize.OLE32 ref: 00007FF618649B18
VariantCopy.OLEAUT32 ref: 00007FF618649B65
_setjmp.MSVCRT ref: 00007FF618649C04

Strings

hander:, xrefs: 00007FF618649F16
uncatche, xrefs: 00007FF618649EFB
d except, xrefs: 00007FF618649F05
com.nim, xrefs: 00007FF618649D44
ion insi, xrefs: 00007FF618649F24
newVariant, xrefs: 00007FF618649D4B
de event, xrefs: 00007FF618649F32
VariantConversionError, xrefs: 00007FF618649CE4, 00007FF618649D5E

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: String$CopyFreeInitializeVariant_setjmp
String ID: hander:$VariantConversionError$com.nim$d except$de event$ion insi$newVariant$uncatche
API String ID: 1008739868-602244300
Opcode ID: babd2b7deb3f69d8384347ab2bb38c6c367e35c6930c93472293837915020f9a
Instruction ID: 0cd3d0b5c92a97d2121a2b727fc533c7270522da7f27bd0e957dafbcf760aea3
Opcode Fuzzy Hash: babd2b7deb3f69d8384347ab2bb38c6c367e35c6930c93472293837915020f9a
Instruction Fuzzy Hash: 95024672A09F4681EB108F25E4A43AE77A1FB94FA4F444136DA4D877A9DF3CE444E384

Function 00007FF6186483F0 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 224COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00007FF618648412

Strings

0 .., xrefs: 00007FF61864868B
os.nim, xrefs: 00007FF61864858E
not in , xrefs: 00007FF618648672
not in , xrefs: 00007FF618648734
inde, xrefs: 00007FF6186487A7
nds, the, xrefs: 00007FF618648537
t of bou, xrefs: 00007FF618648504
not in , xrefs: 00007FF618648776
er is em, xrefs: 00007FF618648545
contain, xrefs: 00007FF618648529
pty, xrefs: 00007FF618648557
index ou, xrefs: 00007FF61864850E
0 .., xrefs: 00007FF6186487B7
paramStr, xrefs: 00007FF6186485A4
IndexDefect, xrefs: 00007FF6186484C7

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: CommandLine
String ID: contain$ not in $ not in $ not in $0 ..$0 ..$IndexDefect$er is em$inde$index ou$nds, the$os.nim$paramStr$pty$t of bou
API String ID: 3253501508-475797482
Opcode ID: 74122c24c0382604b01f4cff30d2f2a8460fd49ea4f5a06927617e3ba1fdba9b
Instruction ID: 66895255228c2b87f98095e921e41864ea209a74a888ce1f8b155334a2f0207b
Opcode Fuzzy Hash: 74122c24c0382604b01f4cff30d2f2a8460fd49ea4f5a06927617e3ba1fdba9b
Instruction Fuzzy Hash: 29A19532A09F4280EB048F25E96436D7BA5FB94FA4F448036DA5C87395EF3CE554E388

Function 00007FF618645110 Relevance: 27.5, APIs: 8, Strings: 10, Instructions: 466stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186451DB
strlen.MSVCRT ref: 00007FF61864521E

Strings

sysFatal, xrefs: 00007FF61864511A
ed from:, xrefs: 00007FF618645782
Error: u, xrefs: 00007FF618645181
]], xrefs: 00007FF618645758
fatal.nim, xrefs: 00007FF618645119
[[rerais, xrefs: 00007FF618645778
excepti, xrefs: 00007FF618645170
on: , xrefs: 00007FF61864517A
ReraiseDefect, xrefs: 00007FF618645114
nhandled, xrefs: 00007FF61864518B

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpystrlen
String ID: excepti$Error: u$ReraiseDefect$[[rerais$]]$ed from:$fatal.nim$nhandled$on: $sysFatal
API String ID: 3412268980-331123295
Opcode ID: a6cd64f5d0f6d3e1560dbd9c8d6119d39aba1a0a11e14f057bc305957f246f56
Instruction ID: 4ab4dad60c1c2699074dfccf92049197714798baa4b46cdeb3629adad1501c31
Opcode Fuzzy Hash: a6cd64f5d0f6d3e1560dbd9c8d6119d39aba1a0a11e14f057bc305957f246f56
Instruction Fuzzy Hash: B522CD72A09F4281EB109F25E4587AE27A5FB85FA0F844136EE5C87B95DF3CE444E384

Function 00007FF618649280 Relevance: 16.7, APIs: 3, Strings: 8, Instructions: 193COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186494E4
memcpy.MSVCRT ref: 00007FF618649526

Strings

VT_VECTO, xrefs: 00007FF6186493D0
VT_RESER, xrefs: 00007FF618649428
VT_ARRAY, xrefs: 00007FF6186495A0
VED|, xrefs: 00007FF618649445
H, xrefs: 00007FF6186492FD
VT_ARRAY, xrefs: 00007FF6186492CD
VT_BYREF, xrefs: 00007FF618649398
VT_ARRAY, xrefs: 00007FF6186494BA

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: H$VED|$VT_ARRAY$VT_ARRAY$VT_ARRAY$VT_BYREF$VT_RESER$VT_VECTO
API String ID: 3510742995-1705348919
Opcode ID: a86182c4fd8834cc737c5c4e5302b065617498eade09615eae6dd8b407819b28
Instruction ID: eb9c66d3e65cf35ca8652c1f5ad5bd82d358f8b314dd59c4fb98ab6ef9031734
Opcode Fuzzy Hash: a86182c4fd8834cc737c5c4e5302b065617498eade09615eae6dd8b407819b28
Instruction Fuzzy Hash: A5818932A09F4681EB119B25E4543AD63A4FB94FA4F998132DF4D873A5EE3CD444E388

Function 00007FF618652790 Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 167COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF6186528EB
memcpy.MSVCRT ref: 00007FF6186529AB

Strings

CLRError, xrefs: 00007FF618652796
strformat.nim, xrefs: 00007FF618652931
ValueError, xrefs: 00007FF61865281B
annot pa, xrefs: 00007FF6186528AE
format s, xrefs: 00007FF61865288F
invalid , xrefs: 00007FF618652885
parseStandardFormatSpecifier, xrefs: 00007FF618652947
rse:, xrefs: 00007FF6186528CC
tring, c, xrefs: 00007FF6186528A0

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: CLRError$ValueError$annot pa$format s$invalid $parseStandardFormatSpecifier$rse:$strformat.nim$tring, c
API String ID: 3510742995-153200016
Opcode ID: 25213ffec185b75778fdc326f25654378bce352dc660cd6c4fc305b2a0e2afad
Instruction ID: 8329354af60eb2d2427efe18ee3fcfefac10a8071c02efdbc750aeb21f00c501
Opcode Fuzzy Hash: 25213ffec185b75778fdc326f25654378bce352dc660cd6c4fc305b2a0e2afad
Instruction Fuzzy Hash: 91714B72A09F4681EB10DF26E9543AD63A0FB85FA4F448135EA9C8B786EF3CD054D384

Function 00007FF61864D1F0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 187COMMON

Download Yara Rule

APIs

_setjmp.MSVCRT ref: 00007FF61864D227
memcpy.MSVCRT ref: 00007FF61864D422

Strings

ValueError, xrefs: 00007FF61864D383, 00007FF61864D48C
strutils.nim, xrefs: 00007FF61864D472
gfffffff, xrefs: 00007FF61864D298
parseInt, xrefs: 00007FF61864D479
invalid , xrefs: 00007FF61864D3DF
integer:, xrefs: 00007FF61864D3C5

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: _setjmpmemcpy
String ID: ValueError$gfffffff$integer:$invalid $parseInt$strutils.nim
API String ID: 2721286225-831327929
Opcode ID: 3ad7e2d703048a7e250aadf9f4a28c92847c659f50819e4f1fbdab72fa9bd7ac
Instruction ID: 2b0fd9b3cafa8d4f0d3c1718d9171db7e9d9f1d68c34b7bf09eff5c7c7dcffa5
Opcode Fuzzy Hash: 3ad7e2d703048a7e250aadf9f4a28c92847c659f50819e4f1fbdab72fa9bd7ac
Instruction Fuzzy Hash: C691AE32A09F8A81EB618B25E4643AD73A0FB95FA4F444232DA5D87395DF3CD544E388

Function 00007FF618646150 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6186461A3
exit.MSVCRT ref: 00007FF6186461B8

Strings

SIGINT: Interrupted by Ctrl-C., xrefs: 00007FF618646156
SIGFPE: Arithmetic error., xrefs: 00007FF61864617A
SIGABRT: Abnormal termination., xrefs: 00007FF61864616E
unknown signal, xrefs: 00007FF618646189
SIGILL: Illegal operation., xrefs: 00007FF618646190
SIGSEGV: Illegal storage access. (Attempt to read from nil?), xrefs: 00007FF618646162

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitstrlen
String ID: SIGABRT: Abnormal termination.$SIGFPE: Arithmetic error.$SIGILL: Illegal operation.$SIGINT: Interrupted by Ctrl-C.$SIGSEGV: Illegal storage access. (Attempt to read from nil?)$unknown signal
API String ID: 4213389737-3987738871
Opcode ID: 55abd2ccb1ffba83af6b57a166dde0f77d7c5e3c75de21c6b65acead5480ef3c
Instruction ID: 8cf743a47b8b310620c70333e8517d71d842f44f444e7c1d8844c2d71e539989
Opcode Fuzzy Hash: 55abd2ccb1ffba83af6b57a166dde0f77d7c5e3c75de21c6b65acead5480ef3c
Instruction Fuzzy Hash: 18F0BB20D08C8390FB18A77468A507C5356AF81F64FF40039E41EC3A63CF1CA849E2C8

Function 00007FF618648FD0 Relevance: 13.6, APIs: 2, Strings: 7, Instructions: 142COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF61864906A
memcpy.MSVCRT ref: 00007FF6186490AB

Strings

convert , xrefs: 00007FF618649110
to , xrefs: 00007FF61864922E
from, xrefs: 00007FF61864921A
convert , xrefs: 00007FF6186491B7
convert , xrefs: 00007FF6186491F4
convert , xrefs: 00007FF618649254
convert , xrefs: 00007FF61864903F

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy
String ID: to $convert $convert $convert $convert $convert $from
API String ID: 3510742995-1950068461
Opcode ID: 9304380911033293320c81f2acf6376005448f402ff89b2ee30c3c9f99823c00
Instruction ID: 87fc6411cf33ddabbc838473a7aa84ab53adfa84f55fdbb9155edaf0dfee9403
Opcode Fuzzy Hash: 9304380911033293320c81f2acf6376005448f402ff89b2ee30c3c9f99823c00
Instruction Fuzzy Hash: 3161BD72A08F8681EB05CF51D4583AD3BA1FB98F84F498036EA0C87395EF78D905D385

Function 00007FF6186416F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF618641709
LoadLibraryA.KERNEL32 ref: 00007FF61864171A
GetProcAddress.KERNEL32 ref: 00007FF618641738
GetProcAddress.KERNEL32 ref: 00007FF618641748

Strings

__register_frame_info, xrefs: 00007FF618641727
__deregister_frame_info, xrefs: 00007FF61864173B
libgcc_s_dw2-1.dll, xrefs: 00007FF6186416FF

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: d15966665af7c63bfc69cf10254b49aa8a80bc0e5efb5ff61f34cf4ca4ebe78a
Instruction ID: d102b2b08da03fb570ef5c8b7b9e32e2d77a20ec8170991d2db9b85d5a03411c
Opcode Fuzzy Hash: d15966665af7c63bfc69cf10254b49aa8a80bc0e5efb5ff61f34cf4ca4ebe78a
Instruction Fuzzy Hash: 1101CC24B49E47D0EB15DB65FC6057963A4BF45FA8F980532DD4D82210EE3CE149E388

Function 00007FF61864E170 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 257stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF61864E3A4

Strings

,{lW, xrefs: 00007FF61864E4F1
MZ, xrefs: 00007FF61864E1A3
,{lW, xrefs: 00007FF61864E4B0
lcJ, xrefs: 00007FF61864E47B
lcJ, xrefs: 00007FF61864E5D1
DZ3, xrefs: 00007FF61864E386

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: strlen
String ID: ,{lW$,{lW$DZ3$MZ$lcJ$lcJ
API String ID: 39653677-2314944304
Opcode ID: 2172c7969333ebb2ae82d8d98b640c3ebf37e01d88012758d8cfca309f05445d
Instruction ID: 19a3777862a9e930e41399151b81b136337add30a1a848f9a2fe246d37da3c57
Opcode Fuzzy Hash: 2172c7969333ebb2ae82d8d98b640c3ebf37e01d88012758d8cfca309f05445d
Instruction Fuzzy Hash: 3CC18F61A08D8685E721DB35E8603BE6362BFC0B74F844031EA4D87799DF7CE549E784

Function 00007FF618644F70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

longjmp.MSVCRT ref: 00007FF618645007
exit.MSVCRT ref: 00007FF61864501A

Strings

sysFatal, xrefs: 00007FF618645091
fatal.nim, xrefs: 00007FF618645084
5, xrefs: 00007FF61864507B
ReraiseDefect, xrefs: 00007FF618645026

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitlongjmp
String ID: 5$ReraiseDefect$fatal.nim$sysFatal
API String ID: 2266059207-1761478562
Opcode ID: 96f358a524f32e1aed7c9d5d6556c4e98dd1512212eee70b9c6d99e0827447cc
Instruction ID: e55671148f0f03caff3e758b2aed497518041f0d19bc6e8a57b74c348c7a1ac4
Opcode Fuzzy Hash: 96f358a524f32e1aed7c9d5d6556c4e98dd1512212eee70b9c6d99e0827447cc
Instruction Fuzzy Hash: BE314A35A09E06A0EB009B24E4982BD73A4FF94FA4F540436DA1C83392EF38E544E3D8

Function 00007FF61864B080 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF61864B14B
VariantCopy.OLEAUT32 ref: 00007FF61864B1A1

Strings

toVariant, xrefs: 00007FF61864B366
com.nim, xrefs: 00007FF61864B350
VariantConversionError, xrefs: 00007FF61864B2D7

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: CopyInitializeVariant
String ID: VariantConversionError$com.nim$toVariant
API String ID: 633353902-3035603046
Opcode ID: feaf87982f694a6c8e442a242bb527772386966bb8b5cce9090a7bfb967f708d
Instruction ID: 36d0cc5df852142adc3d7a8c94db8a3e5ce0b50070a4ed0f83a56b304223b77f
Opcode Fuzzy Hash: feaf87982f694a6c8e442a242bb527772386966bb8b5cce9090a7bfb967f708d
Instruction Fuzzy Hash: CF915921A0AF4280EB109B75E8643BE63A0FF94FA4F940535DA4D87799DF7CE404E788

Function 00007FF618656E90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF618656EB8

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: a4381fa92cb0d565006f9dfff1b99eef7e1d365cb7ea1ddf9efebcac2aa79064
Instruction ID: 1fc4314baea558ae1293197643bde0afdc45d822699a79892980f7aa536beef9
Opcode Fuzzy Hash: a4381fa92cb0d565006f9dfff1b99eef7e1d365cb7ea1ddf9efebcac2aa79064
Instruction Fuzzy Hash: 52410672E09F0589F7208B74D55437C23A1AB45BB8F204A35D92DC7BEACE3CE941A385

Function 00007FF618641E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF618641E69
fflush.MSVCRT ref: 00007FF618641E71
exit.MSVCRT(?,?,?,?,?,?,?,00007FF6186622C0), ref: 00007FF618641E7B

Strings

[GC] cannot register global variable; too many global variables, xrefs: 00007FF618641E5C

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitfflushfwrite
String ID: [GC] cannot register global variable; too many global variables
API String ID: 3476253079-2146260042
Opcode ID: 29812f787e1599843f91b4f967f7b950ef688920f6c1d8c3de6006fb422d7a35
Instruction ID: 4272ef23a561b587f934a18aa4c0591e944861dce32174515a312b896c59a25f
Opcode Fuzzy Hash: 29812f787e1599843f91b4f967f7b950ef688920f6c1d8c3de6006fb422d7a35
Instruction Fuzzy Hash: 93516BB2B05E5181EF44CB28D0643BC27A1FB94F94F558631CA1E87392EF7EE5469384

Function 00007FF6186420F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61864210E
exit.MSVCRT ref: 00007FF61864223F

Strings

could not import: , xrefs: 00007FF618642203
@, xrefs: 00007FF618642163

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: AddressProcexit
String ID: @$could not import:
API String ID: 2129014486-260091680
Opcode ID: f09754910e3e8cb936a1675167e3d2a009b0b329895b95ccb8fea2a27c7e7849
Instruction ID: c4a56ba508c6b5748bafc265ca7209f7d873cfe7036ef82ba93ddf71c1da3526
Opcode Fuzzy Hash: f09754910e3e8cb936a1675167e3d2a009b0b329895b95ccb8fea2a27c7e7849
Instruction Fuzzy Hash: 35312552F09A8291EF25D739E9203BD5B52AB85BD4F584135CF0E47385DE2DD0069384

Function 00007FF618645970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

longjmp.MSVCRT ref: 00007FF618645A07
exit.MSVCRT(?,?,00000000,00000000,00007FF618645AB5), ref: 00007FF618645A17

Strings

sysFatal, xrefs: 00007FF618645A23
fatal.nim, xrefs: 00007FF618645A22

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitlongjmp
String ID: fatal.nim$sysFatal
API String ID: 2266059207-2644091575
Opcode ID: c477938fe259c137f17db8573d3d48f01283773be389f318350ec4beba3344b7
Instruction ID: 6016670c031afd4bdfee767afd1fe5d401352b52084db3128634fe6527bcc251
Opcode Fuzzy Hash: c477938fe259c137f17db8573d3d48f01283773be389f318350ec4beba3344b7
Instruction Fuzzy Hash: F3417472A05E0691EF009B28D8A877D73A4FB98FE4F544535EA4C87790EF78D445D388

Function 00007FF618642050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF618641DB0: strlen.MSVCRT ref: 00007FF618641DC1
Part of subcall function 00007FF618641DB0: fwrite.MSVCRT ref: 00007FF618641DD4

GetLastError.KERNEL32 ref: 00007FF6186420A2
exit.MSVCRT(?,?,?,00007FF61866223B), ref: 00007FF6186420CA

Strings

(bad format; library may be wrong architecture), xrefs: 00007FF6186420D6
could not load: , xrefs: 00007FF618642070

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ErrorLastexitfwritestrlen
String ID: (bad format; library may be wrong architecture)$could not load:
API String ID: 671075621-2754783905
Opcode ID: f74af93159ec3b986ac481cf631a12f3a498c680a62705fde9ca631de226845a
Instruction ID: 8aa0e071a75e1ca80512bd772d9fd2a198c1d5d3e89d8d2ce41442d936af29f5
Opcode Fuzzy Hash: f74af93159ec3b986ac481cf631a12f3a498c680a62705fde9ca631de226845a
Instruction Fuzzy Hash: B2014450B09E5381FB04B771E8653B852A6AF94FA0F540035DD0EC73C7EE2DA441D399

Function 00007FF618641DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF618641E19
fflush.MSVCRT ref: 00007FF618641E21
exit.MSVCRT(?,?,?,00007FF6186622C0), ref: 00007FF618641E2B

Strings

[GC] cannot register thread local variable; too many thread local variables, xrefs: 00007FF618641E0C

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: exitfflushfwrite
String ID: [GC] cannot register thread local variable; too many thread local variables
API String ID: 3476253079-685140759
Opcode ID: 41490137f2756b60f423ddc810860dccecf2b5eb74e20a2dfacef0102946c7a4
Instruction ID: 7c016e40807b1a637b9a24bddbe56de7df40422fda87856fb7041b1c98f0c97b
Opcode Fuzzy Hash: 41490137f2756b60f423ddc810860dccecf2b5eb74e20a2dfacef0102946c7a4
Instruction Fuzzy Hash: 9EE08C20A04A814AE3006BB2A4153B86650FF97F90F401034D90E973C3CE2D90429388

Function 00007FF848E64182 Relevance: 6.5, Strings: 5, Instructions: 205COMMON

Download Yara Rule

Strings

9i, xrefs: 00007FF848E6420F
9Q, xrefs: 00007FF848E64227
9!, xrefs: 00007FF848E64257
9, xrefs: 00007FF848E6426F
99, xrefs: 00007FF848E6423F

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: 9$9!$99$9Q$9i
API String ID: 0-1690732360
Opcode ID: ff5b9ab47a6bacd3042c26211afbfdf63c73c55c1783c52ee89202a6331a0f45
Instruction ID: 2003889ec95a35cb86ec2b6eddfb5dc072d7d20a759b795c10ff3abc64cdb992
Opcode Fuzzy Hash: ff5b9ab47a6bacd3042c26211afbfdf63c73c55c1783c52ee89202a6331a0f45
Instruction Fuzzy Hash: C861BF2154E6CC1FD707A7FC15661E9BFE09F666207AC05DEC4C98F5A2C91CA887C385

Function 00007FF61864A3E0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF618643F10: memset.MSVCRT ref: 00007FF618643FA2

Part of subcall function 00007FF618652790: memcpy.MSVCRT ref: 00007FF6186528EB

memcpy.MSVCRT ref: 00007FF61864A6F3

Strings

CLRError, xrefs: 00007FF61864A43D
clr.nim, xrefs: 00007FF61864A647
clrError, xrefs: 00007FF61864A64E

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: memcpy$memset
String ID: CLRError$clr.nim$clrError
API String ID: 438689982-2830349459
Opcode ID: e048558dc86e6f5a9352b3e37d4a831861b57ce832144c4fdce3ff389ed0c927
Instruction ID: 06c78d002ca072f97161da44ba19796811ac4b373146f5cba75e83525047d9ab
Opcode Fuzzy Hash: e048558dc86e6f5a9352b3e37d4a831861b57ce832144c4fdce3ff389ed0c927
Instruction Fuzzy Hash: B491E362A08F8255EB158B25A9102BD2B61FF84FB4F440231EF6D8B3C2DF2CE550E394

Function 00007FF61864A080 Relevance: 6.1, APIs: 4, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00007FF61864A0A1
MultiByteToWideChar.KERNEL32 ref: 00007FF61864A139
MultiByteToWideChar.KERNEL32 ref: 00007FF61864A19C
SysAllocString.OLEAUT32 ref: 00007FF61864A1AD

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: ByteCharMultiWide$AllocInitializeString
String ID:
API String ID: 1889743751-0
Opcode ID: e0bb64149f93d728e33b5e0fbb6459ea89275909b76d61481fabf21199463d14
Instruction ID: 265b1ecc6406499e316111c48663d00cf411d4df90e3a842864f0a4313cfbb6a
Opcode Fuzzy Hash: e0bb64149f93d728e33b5e0fbb6459ea89275909b76d61481fabf21199463d14
Instruction Fuzzy Hash: 7D51AF62B0AF4690FB109B35A82437E67A0BF94FA4F584135DA0D87395EF3CE445E388

Function 00007FF618643170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32 ref: 00007FF61864327E
exit.MSVCRT ref: 00007FF618643299

Strings

virtualFree failing!, xrefs: 00007FF618643288

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: FreeVirtualexit
String ID: virtualFree failing!
API String ID: 1212090140-3108117800
Opcode ID: 5a5d7f3fc116070e423d12f439fdbadc18ae0e903acef11f49e85f90fe83bf56
Instruction ID: c0a654b4bf5fbd7d27de5657561ea2011eeff32b78b79107cbd5d79d896bfdd2
Opcode Fuzzy Hash: 5a5d7f3fc116070e423d12f439fdbadc18ae0e903acef11f49e85f90fe83bf56
Instruction Fuzzy Hash: AF51C2B2A05F8180EF05CB25C569BAD33A5FB94BA0F51C235C65D87384EF3AD584D384

Function 00007FF6186564B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Unknown error, xrefs: 00007FF61865654A
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: f5ed3b677f2f48d0590d541834f8938872b46eabe71cd71ba44e55bff7287e57
Instruction ID: c0565396ea39fcefbfda1a7b0e3cb648e662b32f21e44c31f051f1c6f411da7f
Opcode Fuzzy Hash: f5ed3b677f2f48d0590d541834f8938872b46eabe71cd71ba44e55bff7287e57
Instruction Fuzzy Hash: 27217926A04F849AD711CF69E8403EA7371FF59BA8F444622EE8C57724EF38C24AC300

Function 00007FF61865653D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF61865653D
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 2dbb23b2c733bdc5e2c88e864f8e4be43479ddb640e3ee14439bc3aa9eb47380
Instruction ID: 681872378f8b6965354e993a2fccc59937e916cb7d1391e2763be282fc752f8b
Opcode Fuzzy Hash: 2dbb23b2c733bdc5e2c88e864f8e4be43479ddb640e3ee14439bc3aa9eb47380
Instruction Fuzzy Hash: B5017C26A04F848AD711CF69D8402AA7771FF5DBA8F044722EF8D27765DF28C189D340

Function 00007FF618656530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Total loss of significance (TLOSS), xrefs: 00007FF618656530
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 224748f1aa114ad75b1f1ac9416724a679c86d711bcf6c7fa56f51eb8680cdc8
Instruction ID: b8a7bd9c511dfc30071d2d231488d7bc4f7f50a11415dc56549139907e78d974
Opcode Fuzzy Hash: 224748f1aa114ad75b1f1ac9416724a679c86d711bcf6c7fa56f51eb8680cdc8
Instruction Fuzzy Hash: 9C017C26A04F888AD711CF69D8402AA7771FF5DBA8F044722EF8D27769DF28C185D340

Function 00007FF618656516 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF618656516
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 2ccf02da138a7f67b759a146aa06823c0007208c8fea492fe6df19dd1a8d4ce2
Instruction ID: 3d7cf50a8b13dd009eac55de7e61bc2674518e2fee46bf8573463a5d05a59b90
Opcode Fuzzy Hash: 2ccf02da138a7f67b759a146aa06823c0007208c8fea492fe6df19dd1a8d4ce2
Instruction Fuzzy Hash: 41017C26A04F848AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D340

Function 00007FF618656523 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF618656523
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: b8127e0a148a3f2144de23711edacc057c0f970e361e3f338bc60eb4b9e6ada2
Instruction ID: 91763f853cdfd93e27d15687f58216b8973e5e8b89cd145c08e6cc80bdc146e2
Opcode Fuzzy Hash: b8127e0a148a3f2144de23711edacc057c0f970e361e3f338bc60eb4b9e6ada2
Instruction Fuzzy Hash: 0C017C26A04F848AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D344

Function 00007FF618656509 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Argument singularity (SIGN), xrefs: 00007FF618656509
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 041973ba09f51f5bbe3c4b1c88ac10a69af53ca7432e29cfd1701aba7b0af9e6
Instruction ID: 1b65328334aecc317225a61fbe5a9ad0f448309576b0de1484abe1593fcc8d38
Opcode Fuzzy Hash: 041973ba09f51f5bbe3c4b1c88ac10a69af53ca7432e29cfd1701aba7b0af9e6
Instruction Fuzzy Hash: 07015A26A04F888AD711CF69D8402AA7771FB5DBA8F044722EF8D27769DF28C185D340

Function 00007FF6186564FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF6186565AE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF6186564FC
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF6186565A4

Memory Dump Source

Source File: 00000003.00000002.2145066843.00007FF618641000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF618640000, based on PE: true

Associated: 00000003.00000002.2145038409.00007FF618640000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145104906.00007FF618663000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145131553.00007FF618664000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145262418.00007FF6186E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145323035.00007FF6186F8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145450621.00007FF6186FE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145562791.00007FF618707000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2145647893.00007FF61870A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff618640000_gEP8SOoakR.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: a146f8cdcdf8742bd3899f7bf3c1021d3d1a80d061f4e761973d6a360533c67e
Instruction ID: 5712630d364b0a5830d1c4483717d1c32082dd7ed30d3e5b69a8c5f8bce2d20b
Opcode Fuzzy Hash: a146f8cdcdf8742bd3899f7bf3c1021d3d1a80d061f4e761973d6a360533c67e
Instruction Fuzzy Hash: 8F017C26A04F888AD711CF69D8402AA7771FF5DBA8F044726EF8D27769DF28C185D340

Function 00007FF848E68BFA Relevance: 5.1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

Strings

N_^*, xrefs: 00007FF848E68C72
N_^,, xrefs: 00007FF848E68C7A
N_^2, xrefs: 00007FF848E68C92
N_^(, xrefs: 00007FF848E68C6A

Memory Dump Source

Source File: 00000003.00000002.2146606507.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848e60000_gEP8SOoakR.jbxd

Similarity

API ID:
String ID: N_^($N_^*$N_^,$N_^2
API String ID: 0-46808458
Opcode ID: 22f594e5524680a48dd261e105dfdeec3c63ce7310ea9c0b8d80d7b14f2accbd
Instruction ID: 554a6422e312b9ded25c3e57e168fb5322527e03e2a9ce099b9b6ec1109991ed
Opcode Fuzzy Hash: 22f594e5524680a48dd261e105dfdeec3c63ce7310ea9c0b8d80d7b14f2accbd
Instruction Fuzzy Hash: EA21E7E769D4117ED30976ADAC611F92740FF502B4B4D5172E39CCB103EE24604A8ADA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gEP8SOoakR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gep8sooakr.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: gEP8SOoakR.exePID: 6768, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6528, Parent PID: 6768

General

Windows Analysis Report
gEP8SOoakR.exe

Function 00007FF618641154 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193
COMMON

Function 00007FF61864F6D0 Relevance: 4.9, APIs: 3, Instructions: 373
fileCOMMON

Function 00007FF61865D9E0 Relevance: 293.3, APIs: 4, Strings: 162, Instructions: 2775
COMMON

Function 00007FF618648C30 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 190
libraryloaderCOMMON

Function 00007FF618642260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
memoryCOMMON

Function 00007FF618642290 Relevance: 3.9, APIs: 3, Instructions: 153
memoryCOMMON

Function 00007FF61864BB80 Relevance: 3.9, APIs: 3, Instructions: 143
COMMON

Function 00007FF618645B50 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00007FF618652AF0 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 00007FF618657A84 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36
stringCOMMON

Function 00007FF618642370 Relevance: 2.6, APIs: 2, Instructions: 149
memoryCOMMON

Function 00007FF618657900 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 00007FF618652BF0 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Function 00007FF618642EA0 Relevance: 1.4, APIs: 1, Instructions: 161
memoryCOMMON

Function 00007FF618643F10 Relevance: 1.3, APIs: 1, Instructions: 91
COMMON