Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Analysis ID:	1546294
MD5:	3722d2ad2f7e099039229456b7472711
SHA1:	c47a0ee5139f2da6f90dd3f84b447c3bc3553c67
SHA256:	b45d4d18149c6ba9966559208f3c5303dd9b20eeb43d5cf75aba272f2021364e
Tags:	Amadeyexe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe (PID: 2876 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe" MD5: 3722D2AD2F7E099039229456B7472711)

calibre.exe (PID: 1396 cmdline: C:\Users\Public\Documents\calibre.exe MD5: 853D888553D002A04484C098A3D7045F)

wscript.exe (PID: 3064 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

calibre.exe (PID: 5644 cmdline: "C:\Users\Public\Documents\calibre.exe" MD5: 853D888553D002A04484C098A3D7045F)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Documents\calibre.exe, CommandLine: C:\Users\Public\Documents\calibre.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\calibre.exe, NewProcessName: C:\Users\Public\Documents\calibre.exe, OriginalFileName: C:\Users\Public\Documents\calibre.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, ParentProcessId: 2876, ParentProcessName: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, ProcessCommandLine: C:\Users\Public\Documents\calibre.exe, ProcessId: 1396, ProcessName: calibre.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , ProcessId: 3064, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , ProcessId: 3064, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js" , ProcessId: 3064, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\Public\Documents\calibre.exe, ProcessId: 1396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

Avira: detection malicious, Label: TR/Dldr.Deyma.haljq

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Documents\calibre-launcher.dll

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: Joe Sandbox View

IP Address: 45.202.35.101 45.202.35.101

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://calibre-ebook.com
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8948D0 NtWriteFile,WaitForSingleObject,		0_2_00007FF63B8948D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8947B0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,		0_2_00007FF63B8947B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8517B0	0_2_00007FF63B8517B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8C64F0	0_2_00007FF63B8C64F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858500	0_2_00007FF63B858500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89E530	0_2_00007FF63B89E530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B87F520	0_2_00007FF63B87F520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8D1450	0_2_00007FF63B8D1450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E9490	0_2_00007FF63B8E9490
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B996CB2	0_2_00007FF63B996CB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B853410	0_2_00007FF63B853410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857400	0_2_00007FF63B857400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B887C30	0_2_00007FF63B887C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B858C20	0_2_00007FF63B858C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8A1370	0_2_00007FF63B8A1370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B885B70	0_2_00007FF63B885B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B89F310	0_2_00007FF63B89F310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B880240	0_2_00007FF63B880240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85AAA0	0_2_00007FF63B85AAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DC9D0	0_2_00007FF63B8DC9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85CA10	0_2_00007FF63B85CA10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E3970	0_2_00007FF63B8E3970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B882180	0_2_00007FF63B882180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8648F0	0_2_00007FF63B8648F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85E0F0	0_2_00007FF63B85E0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85C935	0_2_00007FF63B85C935
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85A130	0_2_00007FF63B85A130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8CB880	0_2_00007FF63B8CB880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B9987CF	0_2_00007FF63B9987CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B88D7E0	0_2_00007FF63B88D7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DB760	0_2_00007FF63B8DB760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8E5F90	0_2_00007FF63B8E5F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85BF90	0_2_00007FF63B85BF90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B884EC0	0_2_00007FF63B884EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D637	0_2_00007FF63B85D637
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B8DAE80	0_2_00007FF63B8DAE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85D6A8	0_2_00007FF63B85D6A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B85B550	0_2_00007FF63B85B550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B857D70	0_2_00007FF63B857D70

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Number of sections : 11 > 10

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, 00000000.00000000.2110369412.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Binary or memory string: OriginalFilenamecalibre.exe0 vs SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Source: classification engine

Classification label: mal100.expl.evad.winEXE@6/6@0/1

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B121C GetProcAddress,GetLastError,FormatMessageW,LocalFree,

4_2_000B121C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

File created: C:\Users\Public\Documents\calibre.exe

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\vDbXW
Source: C:\Users\Public\Documents\calibre.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f985c58743b38fb2171f673f820cbba

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Local\Temp\WikG.zip

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

ReversingLabs: Detection: 47%

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: calibre-launcher.dll
Source: calibre.exe	String found in binary or memory: Failed to get the calibre-launcher dll entry point
Source: calibre.exe	String found in binary or memory: Failed to load: calibre-launcher.dll
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: calibre.execalibre-launcher.dllMZ
Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	String found in binary or memory: Installation directory path too longExecutable path has no path separatorsapp\bin%sFailed to set DLL directoryucrtbase.dllUnable to find ucrtbase.dll. You should install all Windows updates on your computer to get this file.calibre-launcher.dllFailed to load: calibre-launcher.dllexecute_python_entrypointFailed to get the calibre-launcher dll entry pointsimple_printcalibrecalibre.gui_launch

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Process created: C:\Users\Public\Documents\calibre.exe C:\Users\Public\Documents\calibre.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: calibre-launcher.dll	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static file information: File size 3107319 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x200200

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

Source: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Static PE information: section name: .xdata
Source: calibre-launcher.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre-launcher.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	File created: C:\Users\Public\Documents\calibre.exe			Jump to dropped file

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

API coverage: 5.1 %

Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -6000000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5432	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 1628	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe TID: 5444	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Last function: Thread delayed

Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000003.00000002.2250035011.000001DDF2591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\Public\Documents\calibre.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\calibre.exe

Code function: 4_2_000B108C GetModuleFileNameW,wsprintfW,SetDllDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_000B108C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63B851180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,		0_2_00007FF63B851180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Code function: 0_2_00007FF63BB01B88 SetUnhandledExceptionFilter,		0_2_00007FF63BB01B88

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

NtWriteFile: Indirect: 0x7FF63B894946

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\Public\Documents\calibre.exe "C:\Users\Public\Documents\calibre.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\Public\Documents\calibre.exe VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\calibre.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Directory queried: C:\Users\Public\Documents

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	2 Registry Run Keys / Startup Folder	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	11 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	47%	ReversingLabs	Win64.Trojan.Generic
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe	100%	Avira	TR/AVI.Agent.aeapp

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Documents\calibre-launcher.dll	100%	Avira	TR/Dldr.Deyma.haljq
C:\Users\Public\Documents\calibre-launcher.dll	67%	ReversingLabs	Win32.Ransomware.Zombie
C:\Users\Public\Documents\calibre.exe	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
https://calibre-ebook.com	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe, calibre.exe.0.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.202.35.101	unknown	Seychelles		139086	ONL-HKOCEANNETWORKLIMITEDHK	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546294
Start date and time:	2024-10-31 18:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@6/6@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 11 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Simulations

Behavior and APIs

Time	Type	Description
13:27:04	API Interceptor	10738817x Sleep call for process: calibre.exe modified
18:27:08	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.202.35.101	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	45.202.35.101/pLQvfD4d5/index.php?scr=1
	file.exe	Get hash	malicious	Amadey	Browse	45.202.35.101/pLQvfD4d/index.php
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	45.202.35.101/pLQvfD4d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	45.202.35.101/pLQvfD4d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	45.202.35.101/pLQvfD4d/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONL-HKOCEANNETWORKLIMITEDHK	tppc.elf	Get hash	malicious	Mirai	Browse	156.249.107.39
	garm5.elf	Get hash	malicious	Mirai	Browse	156.249.107.42
	gppc.elf	Get hash	malicious	Mirai	Browse	156.249.107.35
	splx86.elf	Get hash	malicious	Unknown	Browse	45.202.74.210
	harm6.elf	Get hash	malicious	Mirai	Browse	156.249.107.25
	IOmQOw6dHu.exe	Get hash	malicious	Metasploit	Browse	45.202.35.85
	80P52RWkMs.exe	Get hash	malicious	Metasploit	Browse	45.202.35.85
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	156.249.107.57
	sample.bin	Get hash	malicious	Okiru	Browse	45.202.35.64
	gppc.elf	Get hash	malicious	Mirai	Browse	156.249.107.11

Process:	C:\Users\Public\Documents\calibre.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.852057801022138
Encrypted:	false
SSDEEP:	3:qsYYFRiMILzHMZm7AX+rSF55cGdAl+pCwJMe:qs1qrEm7Dy3dAWJMe
MD5:	8486D6BD6C65F7FAB3BDF24FD9B715CB
SHA1:	2937534C0F81BB1F0E7D217F2DC0BACD1C89FCE9
SHA-256:	537AB7D9F2E639C83D0E1AA672A2D0D8556E6EB12CEB41A7897C907A5D3479DC
SHA-512:	C314E2FD599D264CE0C072192693726A49276DFCC9DB77B46164893430ABC5B8773734CF140ECE8E3B396FAE12E6A676938C9C78907EC9DA9717DE6688638497
Malicious:	true
Reputation:	low
Preview:	var shell = new ActiveXObject("WScript.Shell");.shell.Run("C:\\Users\\Public\\Documents\\calibre.exe");

C:\Users\Public\Documents\calibre-launcher.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1875616
Entropy (8bit):	7.129043597661067
Encrypted:	false
SSDEEP:	49152:zxx6EC4qHIDW+kEFYs8MW39W0CTvEtUAEo8:4ADWPEFYkWvyEtUAEo8
MD5:	374FBD650936435626A9940406662FFD
SHA1:	D7FD20E2B2805883EB97BD383CCB24E8B62FEA32
SHA-256:	4B7B5BC7B0D1F70ADF6B80390F1273723C409B837C9575EE1CD4B963CF9E5C7D
SHA-512:	1F3D40E2C6FED4353B60E09300E0BFABF7C4847B0C3584D5D21442CE950E9FD35708F7EC443CCB3DBD566B22CCF48373EAF76AF5374144FD6B1CAE17FAF043CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.^........&#...&.....Z......................................................\.....@... .............................. ...............................`..Lb..........................hU......................($..`............................text...............................`..`.data...............................@....rdata..............................@..@.eh_fram.....p.......N..............@..@.bss.....................................edata..............................@..@.idata....... ......................@....CRT....4....@......................@....tls.........P......................@....reloc..Lb...`...d..................@..B................................................................................................................................................................................................................................

C:\Users\Public\Documents\calibre.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65472
Entropy (8bit):	6.069013718964596
Encrypted:	false
SSDEEP:	1536:Kp7+J62CmRRs2RGyUYoz5TjSGC1psqyl3ht0:07j2Ju2QCoz5PSd1CdJ0
MD5:	853D888553D002A04484C098A3D7045F
SHA1:	D275AB06CC89DB7293F9575D24DD83DCB41F56CA
SHA-256:	64BDDE10CFFF243A25B021296773816057DB1620DF56EBD4DB9178DCB88D2EAA
SHA-512:	FF3F4C48EEDA7379ED6CE4A4C6456342EBCDC6751FCC15225D85066C19EE33EFFA52A9FA6298F8462AE5A6964E27E7D490AB31B6E3DB8DF3D8AA1DCE967C6DDC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................\|......\|.I......!....\|......Rich...........................PE..L.....a............................l........ ....@..........................0............@..................................$..<....@....................... ..`....#............................................... ..@............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Users\Public\Documents\calibre.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	98470
Entropy (8bit):	7.881390022741581
Encrypted:	false
SSDEEP:	1536:CLjxMeVHb/brbrXVgIbd+LPjR/wpB/APlQrtMx4ggP9lA9oQOAW7twNw:EqeV7b/hELrRI6P2rGqggFCMAW2u
MD5:	EAB97AFF6E10A22D48E96558366CA74C
SHA1:	5EB08EF394278512532F556C368AB35CCBBA5510
SHA-256:	D4A20B50D5DC218798A7633B36A017C64B9ED30E6BD542D065C32A16BA33B153
SHA-512:	705747A4F207404E2267333DB7A544F2F4EF1102A796DB7B67B55B786AABE3E45445E82968462FBFA19FF75737F9C17350B33B18CA65402AEBABFFA3506BBB3D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.......\|Am{.....;..qy..p.'. .......1..T.Z.3o...?..r\|.9...>H.].s=].J..G+Ez..+.....+..&%......u._......Uy..........

C:\Users\user\AppData\Local\Temp\WikG.zip

Download File

Process:	C:\Users\Public\Documents\calibre.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	437334
Entropy (8bit):	7.937476740474522
Encrypted:	false
SSDEEP:	6144:oV2qcyBMNd5NIjt2Bb+Zzfl9C8Ar5+zsGxPA3cYhHjlpzzDAH93uF+G8hhFe8JOT:oHMZCoN+ZLHqrX+fYZzQd3Q8ha2w
MD5:	6BC43168B53411F432B1FC8D811E2E50
SHA1:	64FF05095F5AD2CBE5ECEA8E8DCE50FC53A373E5
SHA-256:	4067D756583BB1BEC8D76E83E6252F50BDD2E84BDAA7DC90AB891AC719F8654D
SHA-512:	94DF56B72F976448A92150D573D19F9319C6D02CD971D2A5303E4F48C2102454C637235004E06FE75DBD9498315B1B03167668F7D9681C7F88D2E98D954A5FD6
Malicious:	false
Reputation:	low
Preview:	PK........9.MYy.m............CRT.zlib.y8.....bIE.4.T.,I...K.T.!Y&1h.In....lI...R"..-S..,cP.Rd...wR3u....?.....;.{.{..=.93....R...U...a.q....4.&7...6...$d..K..D..'....0.....~t<....f.......$.yI..x..`.K.k..T.E.e.7...I.L.o6...............m.2.......n..."......Y..K.oz..hL.....v>..i...$..'.M.LX.IQ.g."m.U:...B3E...........<1...X.+....A...h..B....jR.Q9{i...[.X.z}J..Lz%v^..?/..u6EQF...J.yG.....3SV=/\.......\.lWI...8.C\[.,.w!..4...p}k-.l....S..._.w5.*(.8....D\m..-..J}..9.%.c..r....=u1SUY4`....Vm.SO.]l../J..i.{S.o.8t.r..A.$...p.[...M..6....@..2..[PC.F.>~.p...M..Kl.....u./-./u....9S...sH....../..W..a.\./?...Y.;.....<];Z....w...\|...E...j.uD.7$.T.9..&...1'9.....=..... #.(....n!..mo8...._}w...4).+.k....._>^.........3g.........................K.}&................<.....>..m..D.FZgx.?......9Z.x.S.mO'....!..s;3...E.....D.........m....9E...2......Tw.\.Z..T/ubMQ@.....y\.-...e.5.>y..8W...c.......U.;i.>.g..W.E...yye..<S...x.N....).....?...{..o...E..].w..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Download File

Process:	C:\Users\Public\Documents\calibre.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\Public\Documents\CalibreLauncher.js>), ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.732987672525596
Encrypted:	false
SSDEEP:	3:HRAbABGQF0tuOaHF5hdCl+W3FQTo:HRYF1EOaH9dC93qk
MD5:	B57269D59D51FFF22FB523B705A783C4
SHA1:	EAFD4DFB619C55616C2EB09C5EFFD8A97DF39BBA
SHA-256:	B5D078FC21D1724F04CABAA1792F5250819C7F892A9958EE775ED7B81374F47C
SHA-512:	51640F0E4C4DCFA2604D066B040BC965F525CF59B5D0D0335B52E082E11CE2308BBCC9E4A9B03E87FF98BE3AF3109374BF7F9319F5C69A2B8B60799237768F2F
Malicious:	true
Reputation:	low
Preview:	[InternetShortcut].URL=file:///C:\Users\Public\Documents\CalibreLauncher.js.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.946634368795593
TrID:	MS Flight Simulator Gauge (35075/8) 68.65% Win64 Executable (generic) (12005/4) 23.50% Generic Win/DOS Executable (2004/3) 3.92% DOS Executable Generic (2002/1) 3.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
File size:	3'107'319 bytes
MD5:	3722d2ad2f7e099039229456b7472711
SHA1:	c47a0ee5139f2da6f90dd3f84b447c3bc3553c67
SHA256:	b45d4d18149c6ba9966559208f3c5303dd9b20eeb43d5cf75aba272f2021364e
SHA512:	9f6bdd68d94f4a1d28657e72b0936fb863f0d91fad9b09c59457714dd78e0947e4932ced5090bc4617ae132ee339093beb5a7a97d74b02b6d4b18bd5c5a99b0e
SSDEEP:	49152:bBLAtsnsD8dnET/3lAsxx6EC4qHIDW+kEFYs8MW39W0CTvEtUAEo28/8VtznIqUf:bBLAWPdk/SADWPEFYkWvyEtUAEod8VBg
TLSH:	93E5AE02B8A56D6DD95E6130409F9336BB393C094133EBF746BAF9706E17A527E0C70A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........&..........*................@.............................p+.....'./...`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x670CA605 [Mon Oct 14 05:03:01 2024 UTC]
TLS Callbacks:	0x400536d0, 0x1, 0x4009a840, 0x1, 0x4009a810, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	21f0b9c7ad8e2cd2151d01ad6aa5cbd9

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0029BCD5h]
mov dword ptr [eax], 00000001h
call 00007F6E18E0C76Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0029BCB5h]
mov dword ptr [eax], 00000000h
call 00007F6E18E0C74Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F6E18EA5CA4h
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F6E18E0C9A9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebx
dec eax
sub esp, 20h
mov ebx, ecx
dec eax
mov eax, dword ptr [0029BCCAh]
movzx eax, byte ptr [eax]
mov ecx, 00000018h
mov edx, 00000008h
call 00007F6E18E0D815h
dec eax
test eax, eax
je 00007F6E18E0C9FFh
dec eax
mov dword ptr [eax], 00000000h
dec eax
mov dword ptr [eax+08h], 00000001h
dec eax
mov dword ptr [eax+10h], 00000000h
dec esp
lea eax, dword ptr [0009BB8Dh]
mov ecx, ebx
dec eax
mov edx, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b1000	0x1bc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b5000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x29e000	0x6054	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b6000	0xda8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x29cd00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b16a8	0x5c8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9a868	0x9aa00	c127c2820cf3b79733c66fb7509aa021	False	0.4804876970493129	data	6.3666595724298345	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9c000	0x1c0	0x200	3f76232263964398b627078cf1451ce6	False	0.21875	data	1.638873196705114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x9d000	0x2001d0	0x200200	0f26856bd9f096eef4c9fb8288df8da0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x29e000	0x6054	0x6200	d9ae05d46c3d254decae5afb48c19a30	False	0.5054209183673469	data	5.8023785496146045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x2a5000	0xa38c	0xa400	e34505f558f87dc0e45ea1a4c153b110	False	0.26714939024390244	data	5.303284558927834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x2b0000	0x280	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2b1000	0x1bc8	0x1c00	2c6722cd76085cc9df69a434e2f16b71	False	0.32059151785714285	data	4.628321068847722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2b3000	0x68	0x200	01ed6f872711b8fb64328d4c252840ed	False	0.076171875	data	0.3975604819285752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2b4000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2b5000	0x4e8	0x600	4b5b6bd7759336780a810cead7ed0ea6	False	0.333984375	data	4.783136965822635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2b6000	0xda8	0xe00	344e13a349973cd94e362666215f6953	False	0.5711495535714286	data	5.380990554526164	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2b5058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualProtect, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
ntdll.dll	NtCreateFile, NtReadFile, NtWriteFile, RtlNtStatusToDosError
USERENV.dll	GetUserProfileDirectoryW
WS2_32.dll	WSACleanup, WSADuplicateSocketW, WSAGetLastError, WSARecv, WSASend, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown
KERNEL32.dll	AddVectoredExceptionHandler, CancelIo, CloseHandle, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateNamedPipeW, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DeleteFileW, DeleteProcThreadAttributeList, DeviceIoControl, DuplicateHandle, ExitProcess, FindClose, FindFirstFileW, FindNextFileW, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimePreciseAsFileTime, GetTempPathW, GetWindowsDirectoryW, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleW, ReadFile, ReadFileEx, RemoveDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetCurrentDirectoryW, SetEnvironmentVariableW, SetFileAttributesW, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFileEx, lstrlenW
ole32.dll	CoTaskMemFree
SHELL32.dll	SHGetKnownFolderPath
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng

Target ID:	0
Start time:	13:27:04
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe"
Imagebase:	0x7ff63b850000
File size:	3'107'319 bytes
MD5 hash:	3722D2AD2F7E099039229456B7472711
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:27:04
Start date:	31/10/2024
Path:	C:\Users\Public\Documents\calibre.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Documents\calibre.exe
Imagebase:	0xb0000
File size:	65'472 bytes
MD5 hash:	853D888553D002A04484C098A3D7045F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	13:27:16
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\CalibreLauncher.js"
Imagebase:	0x7ff61ffd0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:27:17
Start date:	31/10/2024
Path:	C:\Users\Public\Documents\calibre.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\calibre.exe"
Imagebase:	0xb0000
File size:	65'472 bytes
MD5 hash:	853D888553D002A04484C098A3D7045F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34.9%
Total number of Nodes:	1357
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF63B8517B0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 00007FF63B851BA5
s\Public, xrefs: 00007FF63B8518E4
C:\Users, xrefs: 00007FF63B8518F2

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\Users$h$s\Public
API String ID: 0-3456253183
Opcode ID: a652e9657e5c05aff2a409c38d9dd38ed83f8ca8af2200ff06cfa7d44730c077
Instruction ID: 1a400eb23e30174bab3696d72c39023d63dea2792655c70fa88e2a2fbc80e11c
Opcode Fuzzy Hash: a652e9657e5c05aff2a409c38d9dd38ed83f8ca8af2200ff06cfa7d44730c077
Instruction Fuzzy Hash: 4A22E361F0C6C641FA25AB15D4003BAA751AF88BD0F044136DEDE87BE5DF7DE541A704

Function 00007FF63B851180 Relevance: 10.6, APIs: 7, Instructions: 137
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF63B8513E6), ref: 00007FF63B8511BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63B85122B
malloc.MSVCRT ref: 00007FF63B85125F
strlen.MSVCRT ref: 00007FF63B851284
malloc.MSVCRT ref: 00007FF63B851290
memcpy.MSVCRT ref: 00007FF63B8512A8

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 81487d630e4aa8cf42415a112c6d860d500aeddbe03e023e2287122e7970c47c
Instruction ID: 42cfb5eb9739ff8782b0173281cec7bc524f9308c4e3365d10b7880de9370cfb
Opcode Fuzzy Hash: 81487d630e4aa8cf42415a112c6d860d500aeddbe03e023e2287122e7970c47c
Instruction Fuzzy Hash: 0F510635B09A4A85EB51AB15E9A06B923A1BF4DB90F446036D9CEC77B1DF3CE841A304

Function 00007FF63B8948D0 Relevance: 3.1, APIs: 2, Instructions: 75
filenativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteFile.NTDLL ref: 00007FF63B894941
WaitForSingleObject.KERNEL32 ref: 00007FF63B894955

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FileObjectSingleWaitWrite
String ID:
API String ID: 1507886151-0
Opcode ID: e3be11b6b9fd34c636410c389d103c2fe279785128bab275b29275d750e27821
Instruction ID: 2b657161e5fc740245f65afa585f6d9ff62d834dc0013b52e7f41ded1e7847a4
Opcode Fuzzy Hash: e3be11b6b9fd34c636410c389d103c2fe279785128bab275b29275d750e27821
Instruction Fuzzy Hash: 54316122F14B9599FB20CB74E8807ED37A4EB98758F544130EACD97BA8EF38D5958340

Function 00007FF63B891020 Relevance: 7.7, APIs: 5, Instructions: 184
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF63B89119F
GetLastError.KERNEL32 ref: 00007FF63B8911B9
SetFileInformationByHandle.KERNEL32 ref: 00007FF63B8911DF
GetLastError.KERNEL32 ref: 00007FF63B89121C
GetLastError.KERNEL32 ref: 00007FF63B891266

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$File$CreateHandleInformation
String ID:
API String ID: 1834474996-0
Opcode ID: 87b9db5d41daed18cd49e87f9d904dfff9194c64b9439407e8899201472b36a1
Instruction ID: 4940f820720ccb99ee7becb7be8250f4f30b6fdfbd6ef4581cba69ad7917168c
Opcode Fuzzy Hash: 87b9db5d41daed18cd49e87f9d904dfff9194c64b9439407e8899201472b36a1
Instruction Fuzzy Hash: 5161E191F0C25365FF61AA6195013B97AA0AB08BD8F145131DDDEC7BE9CF3DD846A700

Function 00007FF63B8794C0 Relevance: 3.9, APIs: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24baa4a3222a3b121bb3ea5b1124ecf2755e13f390253a8ef35b734aad61fd6
Instruction ID: d058f858e8fd1cca2a67f5b6a9fd21b19e9d8fb9a223ced0480c85cbf2058c78
Opcode Fuzzy Hash: e24baa4a3222a3b121bb3ea5b1124ecf2755e13f390253a8ef35b734aad61fd6
Instruction Fuzzy Hash: AB310762F0CA46A4FF11DB6599063F95261AF4C7DCF584031DD8C87B65EEBCE1829340

Function 00007FF63B874B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 00007FF63B874BB7

Strings

main, xrefs: 00007FF63B874BAD

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: DescriptionThread
String ID: main
API String ID: 2285587249-3207122276
Opcode ID: 5380cd00db58704def36b7ccb4bb153cbc0f4fe725073a28fa603d650e0d8a4c
Instruction ID: 0cda5240c6e1487b0718e6db4840fd6d9ea01ff9ce1cb7e14680449cdc1464e8
Opcode Fuzzy Hash: 5380cd00db58704def36b7ccb4bb153cbc0f4fe725073a28fa603d650e0d8a4c
Instruction Fuzzy Hash: 6B016121F04611D9FB10EB65D9452FC3361BB49388F940435DD8D97BA9DFB8E84AD340

Function 00007FF63B8528F0 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoTaskMemFree.OLE32 ref: 00007FF63B852920

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask
String ID:
API String ID: 734271698-0
Opcode ID: 29d8069532dba790baf713a852be8441b2559e1a3aa4df761d68a972b5e57dfd
Instruction ID: c3c697f2158c702c8f7e89e259935362e0317ee36ea583762a66c7fc602b4284
Opcode Fuzzy Hash: 29d8069532dba790baf713a852be8441b2559e1a3aa4df761d68a972b5e57dfd
Instruction Fuzzy Hash: 04F09011A1861740FB20EB25A0417BE63509FCC7A4F044131EACDCA776DDBCD243A700

Function 00007FF63B893220 Relevance: 1.4, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF63B89337C

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 91ebae9c3fb5a4d4064cf8b1e5e9c19c10c6710b06920cc9dacc2f671af02453
Instruction ID: 7babb85abb9412c951e6e8853c6e026d7c750132c6aab7fd7d04aa4770be753b
Opcode Fuzzy Hash: 91ebae9c3fb5a4d4064cf8b1e5e9c19c10c6710b06920cc9dacc2f671af02453
Instruction Fuzzy Hash: BA518122B0478186EB309E62E8453EE77A1FB08798F004135DE9E8BB95DF7CE241A300

Function 00007FF63B8912C0 Relevance: 1.3, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63B8A4883), ref: 00007FF63B8913A2

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ad3f5cbfeedfcf13903e499c3268926a66de56c683ae8b6240a3490add6e2234
Instruction ID: 9ec04275ebb5fa8ea52583bae06e8f9b3f8a5438bf1221e487792ad6358508b2
Opcode Fuzzy Hash: ad3f5cbfeedfcf13903e499c3268926a66de56c683ae8b6240a3490add6e2234
Instruction Fuzzy Hash: E4313872B146518AF7208FA6E5417AD77B0BB58388F108124DF8963B55EF78EA81C750

Non-executed Functions

Function 00007FF63B89E530 Relevance: 24.5, APIs: 16, Instructions: 465COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF63B89E5BD
WriteConsoleW.KERNEL32 ref: 00007FF63B89E5FC
WriteConsoleW.KERNEL32 ref: 00007FF63B89E663
GetLastError.KERNEL32 ref: 00007FF63B89E66C
GetLastError.KERNEL32 ref: 00007FF63B89E6FE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: d6fa8577fff9781698cb2784834ee00875b6a9474a146fdbbcde2ca34dbe5f4a
Instruction ID: ce2f53085e18db4a47ad1b12e1875b244551f4f9fd6be74d46fbacecd6c6ef4b
Opcode Fuzzy Hash: d6fa8577fff9781698cb2784834ee00875b6a9474a146fdbbcde2ca34dbe5f4a
Instruction Fuzzy Hash: 8E02E361F0869685FB209B61D8007F96A91AF4C794F448132EECDD7BE9DF7CD58AA300

Function 00007FF63B8A1370 Relevance: 21.8, APIs: 14, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d6bf26eabe0d1632d3d306af3a63d32fe6f755bfdca458dd88fe0c09068385
Instruction ID: bdfc85424bc167b84ae8a9f74a6f3fabed7922ac9958705c82578468ae83bb59
Opcode Fuzzy Hash: a7d6bf26eabe0d1632d3d306af3a63d32fe6f755bfdca458dd88fe0c09068385
Instruction Fuzzy Hash: 1A6237A2F08AD244FB719E25D4407B96791AB0ABE4F444131CEED9B7E5CF3CE691A700

Function 00007FF63B89F310 Relevance: 20.1, APIs: 13, Instructions: 644COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B89F5CA
GetFullPathNameW.KERNEL32 ref: 00007FF63B89F5DF
GetLastError.KERNEL32 ref: 00007FF63B89F5EA
GetLastError.KERNEL32 ref: 00007FF63B89F603

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID:
API String ID: 2482867836-0
Opcode ID: ecfd8c3bd3adc06954fb10034e5eb142da56f09cc575d3ac51fc75926ebd95c3
Instruction ID: 3cf1ad074ef97e00638e5fe1f7d656d657bb823bb1b52e4f89cd9f883b39532e
Opcode Fuzzy Hash: ecfd8c3bd3adc06954fb10034e5eb142da56f09cc575d3ac51fc75926ebd95c3
Instruction Fuzzy Hash: 1142B462B08B9285EF699F65D8443F97265BF48BC8F048036DE9D977A5DF3CE241A300

Function 00007FF63B85A130 Relevance: 8.7, APIs: 6, Instructions: 1168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9da844cb34b5c91b9cee35a265b611f789a8b874841022ab713eebbb5c2c564
Instruction ID: 72f245747c606f6ea649710eab756b83e8e72ae92545b527d089cfb54e4b5a21
Opcode Fuzzy Hash: c9da844cb34b5c91b9cee35a265b611f789a8b874841022ab713eebbb5c2c564
Instruction Fuzzy Hash: 93B2D362E04BC582EB108F2995412F86360FB687D8F469722DFAE537A6DF38E1D1D300

Function 00007FF63B880240 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 362COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF63B880AA5), ref: 00007FF63B880306

Part of subcall function 00007FF63B8EA360: RtlCaptureContext.KERNEL32 ref: 00007FF63B8EA3F2
Part of subcall function 00007FF63B8EA360: RtlUnwindEx.KERNEL32 ref: 00007FF63B8EA42F
Part of subcall function 00007FF63B8EA360: abort.MSVCRT ref: 00007FF63B8EA435
Part of subcall function 00007FF63B8EA360: RaiseException.KERNEL32 ref: 00007FF63B8EA472

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00007FF63B880325
StderrLock, xrefs: 00007FF63B88070B

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: AddressCaptureContextExceptionRaiseSingleUnwindWakeabort
String ID: StderrLock$lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs
API String ID: 938658393-2484903514
Opcode ID: 96ea4ad3050c817a99897064625f6cd59b20030a83f0df2b89394212f8837f9d
Instruction ID: eebd91198759e474bb94a708e344b7b766737625baeff38ccae1e23116b71cd0
Opcode Fuzzy Hash: 96ea4ad3050c817a99897064625f6cd59b20030a83f0df2b89394212f8837f9d
Instruction Fuzzy Hash: 8AD1A122F08B4686EB14DB61D4113BD63A0EF89768F544636DAAEC77E1DF3CE5829340

Function 00007FF63B887C30 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 460COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63B8C76F0: memcpy.MSVCRT ref: 00007FF63B8C787F

memcpy.MSVCRT ref: 00007FF63B88801E

Strings

assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FF63B887D95, 00007FF63B887EF8
.Components, xrefs: 00007FF63B887E49, 00007FF63B887F7B

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: .Components$assertion failed: is_code_point_boundary(self, new_len)
API String ID: 3510742995-986385590
Opcode ID: 1b42b59c0f293a4dddcd1dcb890a694517bcee2be59998c833c92cc953d64465
Instruction ID: 02e5f5ff30e3ad6871c9daaf88e4efb833ed7d54fb25acb0f3cd8cb64377b5a1
Opcode Fuzzy Hash: 1b42b59c0f293a4dddcd1dcb890a694517bcee2be59998c833c92cc953d64465
Instruction Fuzzy Hash: 48F1F466F09A5286FE14DB61E8003B967A1AF0CBC8F444436DE8DD77A5EE3CE546E300

Function 00007FF63B858500 Relevance: 4.9, APIs: 2, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

, xrefs: 00007FF63B858621

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9b69018c0ed3b186ba056a2dcec648e21db9b6eb5f04c4f3e3f4bfdca43a4d7f
Instruction ID: 21bb99de49aee18b8073b635fe0dae0d48305e9b2aea23da1315eee7ae99f28a
Opcode Fuzzy Hash: 9b69018c0ed3b186ba056a2dcec648e21db9b6eb5f04c4f3e3f4bfdca43a4d7f
Instruction Fuzzy Hash: 3202E462A08AC986EB708F2598493F92351F748BD8F044A33CE9E9B7A5DF38D185D304

Function 00007FF63B8947B0 Relevance: 4.6, APIs: 3, Instructions: 76filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL ref: 00007FF63B894821
WaitForSingleObject.KERNEL32 ref: 00007FF63B894835
RtlNtStatusToDosError.NTDLL ref: 00007FF63B89485F

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileObjectReadSingleStatusWait
String ID:
API String ID: 3583596364-0
Opcode ID: c9b21866faa3b89d0315cf257845c9edb6f0ad73a687b49f7712525f048a0ebc
Instruction ID: 73f7aaf69781c6b2e439acd75a4edb90308abe2c24200910e767c6028a69aa25
Opcode Fuzzy Hash: c9b21866faa3b89d0315cf257845c9edb6f0ad73a687b49f7712525f048a0ebc
Instruction Fuzzy Hash: E331A032F14A9589FB20CB70E8407AD33A0EB98358F548130EA8DD7BA8EF38D1918340

Function 00007FF63B8C64F0 Relevance: 4.6, Strings: 3, Instructions: 821COMMON

Download Yara Rule

Strings

__ZN, xrefs: 00007FF63B8C67F2
`fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 00007FF63B8C70A9
.llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs, xrefs: 00007FF63B8C651B

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
API String ID: 1475443563-1033176386
Opcode ID: fbd01bc7dca341960596535b4baaf29f25a68dd04a3453e8cf4c9293111851d4
Instruction ID: c6267813f0280d99e6a822a5fc0215d4e24f1bd0d0f9663160f67410f4adf9ff
Opcode Fuzzy Hash: fbd01bc7dca341960596535b4baaf29f25a68dd04a3453e8cf4c9293111851d4
Instruction Fuzzy Hash: 646244A2E1C9A285FB148E2094146BDAB61BB0D794F544336DEDE877E5DF3CE944E300

Function 00007FF63B85E0F0 Relevance: 4.4, APIs: 3, Instructions: 621COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF63B85E188
memcmp.MSVCRT ref: 00007FF63B85E1E4
memcmp.MSVCRT ref: 00007FF63B85E212

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 7b8bd37ac05472c1f688518fb33f73d97958f5587a90275488d8cc1d6babc322
Instruction ID: e14f48b576d08d66293aad4d2fb419f2b4f1fcdd02d971f51b8ed7d242d4b53f
Opcode Fuzzy Hash: 7b8bd37ac05472c1f688518fb33f73d97958f5587a90275488d8cc1d6babc322
Instruction Fuzzy Hash: 8B320522F0869A85FB218B25D8006F86751AF1D7D9F844637EECE937A5DF38D146E308

Function 00007FF63B85BF90 Relevance: 4.4, APIs: 3, Instructions: 606COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B85C8EE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 40f2bd7941c54a29647a8b9210481e05cdad55683e608500f8d317bb364a2669
Instruction ID: 4dc005ead39d0f2f58aaeb7e25b0a6a68a98728d9f6c3f87cb79c4766dc296a6
Opcode Fuzzy Hash: 40f2bd7941c54a29647a8b9210481e05cdad55683e608500f8d317bb364a2669
Instruction Fuzzy Hash: 6A52A572A14B8592DB10CF29D5446EC7764F758B98F819722DFAE533A1EF38E299C300

Function 00007FF63B85B550 Relevance: 4.3, APIs: 3, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417020d1d7a5646c9e01f6c3bb1e62516b20a8488bfb65bae6cef5f62086aa1c
Instruction ID: d799cedce7e6b2e3bf3debe9288ee75a187c60853e18ad76cae81731ef660295
Opcode Fuzzy Hash: 417020d1d7a5646c9e01f6c3bb1e62516b20a8488bfb65bae6cef5f62086aa1c
Instruction Fuzzy Hash: 4232B362E04BD486E7118F29D5012E96760FB687D8F45A321EFAE537A6EF34E2D5C300

Function 00007FF63B85CA10 Relevance: 4.2, APIs: 3, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045032e43e5243348bda05fffaba070f9e70687af0d0abd52625bcc8eecd977b
Instruction ID: 413dde141d5eb890449a32678c1a9b5649450170991c53fc6d91486d64bb7574
Opcode Fuzzy Hash: 045032e43e5243348bda05fffaba070f9e70687af0d0abd52625bcc8eecd977b
Instruction Fuzzy Hash: 45F1D6A2E04B8582EA108F6984056EC2721F759BE8F419732DFBE673D1EF38E584D700

Function 00007FF63B8DB760 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 625COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF63B8DB7DF

Strings

.llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs, xrefs: 00007FF63B8DBCA3

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs
API String ID: 1475443563-1822433098
Opcode ID: d4cda76c647002c9c0dca3d5d87d028cafbcea0ad1bfec7cc91d6084fac1c9a9
Instruction ID: ecfb9ae199771f82bc1249f490aff9fb85c3c2392c3af0404ffbe3975a187427
Opcode Fuzzy Hash: d4cda76c647002c9c0dca3d5d87d028cafbcea0ad1bfec7cc91d6084fac1c9a9
Instruction Fuzzy Hash: 6C32F222B186D58AEB60CF25A8147B96791FF09B94F40453BDE8E87BA4DF3CE545E300

Function 00007FF63B8CB880 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B8CBB16

Strings

called `Result::unwrap()` on an `Err` valueErrorLayoutError, xrefs: 00007FF63B8CB8DF

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: called `Result::unwrap()` on an `Err` valueErrorLayoutError
API String ID: 3510742995-3725152123
Opcode ID: 81038fc792a85a7b2108a7629e570a67702d662dfe0d5b8f2563d0cca88e6b90
Instruction ID: 9ed4a14e1514ad9999e760d999dc897e042440e42aaa8df506bb78f317dcdd38
Opcode Fuzzy Hash: 81038fc792a85a7b2108a7629e570a67702d662dfe0d5b8f2563d0cca88e6b90
Instruction Fuzzy Hash: 87027D72F14F5988FB008BA0E8503EC73B5BB48748F54863ADE9D967A9EF389185D300

Function 00007FF63B858C20 Relevance: 2.9, APIs: 2, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f73c71891715dbaacf9de5ff9a6b009c0891da66bf2290eeb7d084683ff114a
Instruction ID: c36d373da662c74f78553142d2d3e6583bb29d136f3225321edf8f83ef3746d6
Opcode Fuzzy Hash: 3f73c71891715dbaacf9de5ff9a6b009c0891da66bf2290eeb7d084683ff114a
Instruction Fuzzy Hash: 7D029262B14A8985EB708F25D8483ED2761F758BD8F404633DE9E877A4DF39D286D304

Function 00007FF63B87F520 Relevance: 2.8, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B87F597
memcpy.MSVCRT ref: 00007FF63B87F5F2

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: b86706a7d2cf204e2e51d77cb9bad41f1a97247a187825014c65b4a4c7524c15
Instruction ID: 8a628d64268dcc1ba2f0c86e2f703b967249f0bf8a57cc59ea4fec51b5f3540e
Opcode Fuzzy Hash: b86706a7d2cf204e2e51d77cb9bad41f1a97247a187825014c65b4a4c7524c15
Instruction Fuzzy Hash: C9C1E362F1978681EE10DB26A4067B96761FF1DB9CF458536CEAD933A1EE7CA041E300

Function 00007FF63B857400 Relevance: 2.0, Strings: 1, Instructions: 794COMMON

Download Yara Rule

Strings

, xrefs: 00007FF63B857E91

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5545588619da7bb89792b3fb494ee7201640f1602b5226a310355cfa4b7acd43
Instruction ID: 48f47b6574b50ec8d06b775edfd09dfa12da6657fce2cc32868e04087e98d39f
Opcode Fuzzy Hash: 5545588619da7bb89792b3fb494ee7201640f1602b5226a310355cfa4b7acd43
Instruction Fuzzy Hash: 4F424763B09AD442FB618B66E9007ED6750B748BD4F458232DE9E977A1EE3CD287D300

Function 00007FF63B8E3970 Relevance: 2.0, Strings: 1, Instructions: 771COMMON

Download Yara Rule

Strings

0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 00007FF63B8E3CF1, 00007FF63B8E3E8D, 00007FF63B8E4056, 00007FF63B8E4266, 00007FF63B8E44D0

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
API String ID: 0-1744301434
Opcode ID: 12b8772e55c1258e7ca1ef30fe6dcf2b8e3e5cc98b32bd2d7e346f2324c0c036
Instruction ID: ad1dcf70ff90f9e8279198dc16712c3c93afed18ecd470637164f3cf367fd847
Opcode Fuzzy Hash: 12b8772e55c1258e7ca1ef30fe6dcf2b8e3e5cc98b32bd2d7e346f2324c0c036
Instruction Fuzzy Hash: 7E620232A28A658AE725CB20E4147FC6760FB59344F906236EEDE93BE5DF3D9644D300

Function 00007FF63B853410 Relevance: 1.8, Strings: 1, Instructions: 560COMMON

Download Yara Rule

Strings

0b0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 00007FF63B8E5400, 00007FF63B8E569B, 00007FF63B8E591C

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0b0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
API String ID: 0-528522809
Opcode ID: f2614912107fd56ce8750da9af44e6e5b86572c458f76170d13e9200f7d5bc47
Instruction ID: 2302a8d5663b70d4fbb5e543eabf83929ab46cf9567d3f86c514eb9ed36c9a41
Opcode Fuzzy Hash: f2614912107fd56ce8750da9af44e6e5b86572c458f76170d13e9200f7d5bc47
Instruction Fuzzy Hash: BA223332B18A9586E7659B20E0147FDA764FB99744F80A036DECE83BA1DE3CD295D340

Function 00007FF63B8DC9D0 Relevance: 1.7, Strings: 1, Instructions: 478COMMON

Download Yara Rule

Strings

00000000, xrefs: 00007FF63B8DCA20

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 00000000
API String ID: 0-3221785859
Opcode ID: 511ea21eaabec23d54837423cdc3bbd93fd86ca076700706d416f64bd714a5e1
Instruction ID: 2022854b00bacdac0bd8f712e769c6fd8c0cc815aa5eb1be0c4c35c111cf107f
Opcode Fuzzy Hash: 511ea21eaabec23d54837423cdc3bbd93fd86ca076700706d416f64bd714a5e1
Instruction Fuzzy Hash: 9D12E362B04B8189EB20CF25F8407E927A5BF48788F44863BDE8D87BA4DF78D545D740

Function 00007FF63B8E5F90 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19, xrefs: 00007FF63B8E6140, 00007FF63B8E6371, 00007FF63B8E65A1

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0x0o00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899assertion failed: *curr > 19
API String ID: 0-1744301434
Opcode ID: 7c9833d0eb53b1d94ae3c5d56b42e76e92e8facb375206c6059aa191ab40b316
Instruction ID: 02e4a0a5e17f507735f54588884e8321432d51b995766a431aa453535ded45cd
Opcode Fuzzy Hash: 7c9833d0eb53b1d94ae3c5d56b42e76e92e8facb375206c6059aa191ab40b316
Instruction Fuzzy Hash: 64027663A186A185EB24CF28D0147FD6761FB5A7A4F40A235DEDE97BE4EE3C9604D300

Function 00007FF63B885B70 Relevance: 1.7, Strings: 1, Instructions: 464COMMON

Download Yara Rule

Strings

Iter, xrefs: 00007FF63B88628F

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Iter
API String ID: 0-841058261
Opcode ID: c75392679c9487452fc1a751b1028014ffe07122866722351a3a91a8578faaf5
Instruction ID: ba67e2a49eb0b2a0782a1b57e7a9a482a436d5a70d01891196fc17eb103c485a
Opcode Fuzzy Hash: c75392679c9487452fc1a751b1028014ffe07122866722351a3a91a8578faaf5
Instruction Fuzzy Hash: 68F16726E0D69686FB658B20D6003FD67A2EF19788F444032DECDC67B5DF7DA586A300

Function 00007FF63B85AAA0 Relevance: 1.6, APIs: 1, Instructions: 383COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B85B534

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 25ff006b35229316881f9d4f2c1f162d663e882e5b97efd1ef82d9ea625f88bc
Instruction ID: 2fc436b91cebdf0722472725d68ff6c6f4c63f229c53ebf48984b3eabdc3213c
Opcode Fuzzy Hash: 25ff006b35229316881f9d4f2c1f162d663e882e5b97efd1ef82d9ea625f88bc
Instruction Fuzzy Hash: 19028F53A18BC893E7118F2996012E96760FB687C8F46A711DF9E53766EF34E2E5C300

Function 00007FF63B85C935 Relevance: 1.6, APIs: 1, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B85D3C3

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 40f4341b2393c8d88519353c63848b5f7e3b69d4e2285dd8b757317515c17fc7
Instruction ID: 362eb60a53bd9d00ed16cc1acf755c7bcb8c8f79069d1fedc9c681a9750d0616
Opcode Fuzzy Hash: 40f4341b2393c8d88519353c63848b5f7e3b69d4e2285dd8b757317515c17fc7
Instruction Fuzzy Hash: EDE1D4A2F04A9592FB11CF29D5006AC6721F758BC8B459732DFAE973A1EF38E594C304

Function 00007FF63B8DAE80 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

falsetrue, xrefs: 00007FF63B8DAE88

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: falsetrue
API String ID: 0-2583396087
Opcode ID: 3c931abaa790965a00de698a11a96bf2fa9f29c303bde85a39a6071edfca1027
Instruction ID: 217ab60119e4d182406206f40ad1b50a871e5677d85f03456002d72946fad5cf
Opcode Fuzzy Hash: 3c931abaa790965a00de698a11a96bf2fa9f29c303bde85a39a6071edfca1027
Instruction Fuzzy Hash: 46B16C96E2DBA601FA23433E64016B449405F677E4A01D73BEDBD71BF1EF39E642A200

Function 00007FF63B882180 Relevance: 1.6, APIs: 1, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandleLast
String ID:
API String ID: 2586478127-0
Opcode ID: ccdc4a8769f107b8b923ffd279c3e2f343628e55faa1909371611fed678b4723
Instruction ID: 97bf6d381961a88f5c95f18d2746ea28801970745c8e79b9287629ef01074436
Opcode Fuzzy Hash: ccdc4a8769f107b8b923ffd279c3e2f343628e55faa1909371611fed678b4723
Instruction Fuzzy Hash: F8C11662F09A9687EE04CF16E8046B96791BF0CBC4F548535DE9DD7BA5DE3CE442A300

Function 00007FF63B85D6A8 Relevance: 1.6, APIs: 1, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17652e3a8254b6321586e6a427a5cc7d136a4433342daef490fe464ef3add8db
Instruction ID: 5c94cf14956c686e5369e5be9a9058029f88cd31726e71214cac66e2ffe23773
Opcode Fuzzy Hash: 17652e3a8254b6321586e6a427a5cc7d136a4433342daef490fe464ef3add8db
Instruction Fuzzy Hash: C0D1D352F08AC582FA018F2895055F86725FB697A8B46D332DE7E673D2EF34A5C5C304

Function 00007FF63B85D637 Relevance: 1.6, APIs: 1, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093ae826fe15420fa045ddde67a755531767c9251c3b7ab0d2502e99507ad552
Instruction ID: c42a6a180220997a442de989761d92a21b5d37fac117c89ad8c730b013b8ec65
Opcode Fuzzy Hash: 093ae826fe15420fa045ddde67a755531767c9251c3b7ab0d2502e99507ad552
Instruction Fuzzy Hash: FCC1E762F04AD982FB11CF28C6049EC6321FB547E8B859322DE6E67395EF74E685C304

Function 00007FF63B884EC0 Relevance: 1.5, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B884F4B

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bad9ede1a7c196771ea4303c3629f95c172ced7c15b50dcb64c3bda053504e79
Instruction ID: 0cef11a081bcb12b277bae912b8bedc4c1b22dfe652e1610a3ee7433c037cb55
Opcode Fuzzy Hash: bad9ede1a7c196771ea4303c3629f95c172ced7c15b50dcb64c3bda053504e79
Instruction Fuzzy Hash: 12810512F196918AFB118A6588113FD2B51FB5D798F048939DE8ECBBD9DE3CD280E350

Function 00007FF63B88D7E0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00007FF63B88D9BD

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 01f622e2a1d6dfdbed27203ca3b1c284ea5d5d90bced9f323d75cb31d9cd0a59
Instruction ID: 6e3fee1a4661a77d213926ccaf7bc967cdb9116ef5b13c216de50b349f192a47
Opcode Fuzzy Hash: 01f622e2a1d6dfdbed27203ca3b1c284ea5d5d90bced9f323d75cb31d9cd0a59
Instruction Fuzzy Hash: F6611453E1C5D15AF3198E6859202BD2EA1AB19348F04853DDAEBE77F5CE3C9502E310

Function 00007FF63B996CB2 Relevance: .7, Instructions: 666COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb91228751b0efc63ceca3f93e0858f718a14aa65448bcf9a1d37d741515f7d
Instruction ID: 62053d499f8979b776e939acfb9a8610fb04318510fc2a60ea6fb18c6ea97594
Opcode Fuzzy Hash: 8bb91228751b0efc63ceca3f93e0858f718a14aa65448bcf9a1d37d741515f7d
Instruction Fuzzy Hash: 08320523B042219FF7284A34C8517FD3792E799704F148135EFC9973DADE6D6949A340

Function 00007FF63B8648F0 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6933df55a50f57596572f4d4ed261b95670b8b2e777c41d223b685af9487db52
Instruction ID: 36a90a92af53e18b4702d8d161d2c6c0485ef5c512e82888d204c8baa949b115
Opcode Fuzzy Hash: 6933df55a50f57596572f4d4ed261b95670b8b2e777c41d223b685af9487db52
Instruction Fuzzy Hash: 68128172B14A5589EB04CBA5E4503FC77B1AB887A4F488231DFAD93BA8DF78D545D300

Function 00007FF63B9987CF Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4f1bdbc699e5993380fca7d82b1bd7cdbfa05b0e47b11a06f7f93abbda0119
Instruction ID: 3983e114623889bca402628af17924ba039c1a6b93656e5b218aaea3e6fa9c86
Opcode Fuzzy Hash: bc4f1bdbc699e5993380fca7d82b1bd7cdbfa05b0e47b11a06f7f93abbda0119
Instruction Fuzzy Hash: 7AD12763B082218FF3188A39C8817BD3692E789754F14C279EF89D77DADE3D99459340

Function 00007FF63B8E9490 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad884ff55f7726e80c3b0436c3558f17546bec5d86aafa1267ead61c776d48b2
Instruction ID: 7c82c6bd75dbbb33e0099c1c5562a4ae9440876a757077aebf51ac491667faa7
Opcode Fuzzy Hash: ad884ff55f7726e80c3b0436c3558f17546bec5d86aafa1267ead61c776d48b2
Instruction Fuzzy Hash: F5D13AA2E1C69286F7148B94E4107FC2761EB89780F946136DDCF937A5CE7CAA46E340

Function 00007FF63B857D70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9396d119a77d1c8e2bfc5931525acb9f5aa7c6d58bda2afad83dbb78b865e6e
Instruction ID: bb89cbfc24c475381f49a3b2cdc2f24adfed20f0151a223b1bdf60ffec143332
Opcode Fuzzy Hash: d9396d119a77d1c8e2bfc5931525acb9f5aa7c6d58bda2afad83dbb78b865e6e
Instruction Fuzzy Hash: 2671B572B19BC985EB70CF2598483E92691F748BD8F044637CE9E9B7A4DE38D641D304

Function 00007FF63B8D1450 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc570ffb4ae56b960260507304eaa2a4c554c849a426bb6218ab45f6928df0f
Instruction ID: 7bb828845c47f025ddccaf150c09a47f30cd1633db31e09b34ddc33ad78a786f
Opcode Fuzzy Hash: 3cc570ffb4ae56b960260507304eaa2a4c554c849a426bb6218ab45f6928df0f
Instruction Fuzzy Hash: B8612EA3F196E09EE3219774A400AAC7F71DF15B44F0890AACFC857F96CA3AC115E751

Function 00007FF63BB01B88 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f34747f2e3f4212df9440228b02bf58113d0611040ea2d2a6e48c9568406757
Instruction ID: 72a7f27c79963c1fbfbe6938cdcfaccec5d9310ffee8180308058a053cb61fa1
Opcode Fuzzy Hash: 1f34747f2e3f4212df9440228b02bf58113d0611040ea2d2a6e48c9568406757
Instruction Fuzzy Hash: 13D0128BB0EAC305F1598554092517D2EC16B57E3570C416AEAA5863D2BF091906A212

Function 00007FF63B8A1800 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B8A19B5
GetFullPathNameW.KERNEL32 ref: 00007FF63B8A19D1
GetLastError.KERNEL32 ref: 00007FF63B8A19DC
GetLastError.KERNEL32 ref: 00007FF63B8A19F5

Strings

\\?\UNC\, xrefs: 00007FF63B8A1B69
\\?\, xrefs: 00007FF63B8A1B17

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\$\\?\UNC\
API String ID: 2482867836-3019864461
Opcode ID: 2122492b4eb0333c77c7b5a8ddde4668f072be821119217e02c5428283a680cc
Instruction ID: 2629df62c8d589b921ec45e0e5ba6f05116d91856eff7e8123fe40e39043f303
Opcode Fuzzy Hash: 2122492b4eb0333c77c7b5a8ddde4668f072be821119217e02c5428283a680cc
Instruction Fuzzy Hash: EC12C062F086D285EB70AF2184443B96395FB0AB94F448136DEDD9B7E5DF3CE681A700

Function 00007FF63B876CD0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 408COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B876DB9
GetCurrentDirectoryW.KERNEL32 ref: 00007FF63B876DC4
GetLastError.KERNEL32 ref: 00007FF63B876DD0
GetLastError.KERNEL32 ref: 00007FF63B876DE9
GetLastError.KERNEL32 ref: 00007FF63B876E87
GetEnvironmentStringsW.KERNEL32 ref: 00007FF63B876F2B
GetLastError.KERNEL32 ref: 00007FF63B876F3F

Part of subcall function 00007FF63B8EA360: RtlCaptureContext.KERNEL32 ref: 00007FF63B8EA3F2
Part of subcall function 00007FF63B8EA360: RtlUnwindEx.KERNEL32 ref: 00007FF63B8EA42F
Part of subcall function 00007FF63B8EA360: abort.MSVCRT ref: 00007FF63B8EA435
Part of subcall function 00007FF63B8EA360: RaiseException.KERNEL32 ref: 00007FF63B8EA472

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF63B877215, 00007FF63B87725B
innerVarsOs, xrefs: 00007FF63B87732C
Vars, xrefs: 00007FF63B8772FF

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CaptureContextCurrentDirectoryEnvironmentExceptionRaiseStringsUnwindabort
String ID: Vars$called `Result::unwrap()` on an `Err` value$innerVarsOs
API String ID: 1982851867-2235028769
Opcode ID: e921b6a4486d3119278a64ef0d52a8b7fa698d28b42ae79f5503faa2cebf1a7f
Instruction ID: 5f28a3f910998013057b1e0486b993e6ca8fd6a1b9b38720809c6c34749dbd5b
Opcode Fuzzy Hash: e921b6a4486d3119278a64ef0d52a8b7fa698d28b42ae79f5503faa2cebf1a7f
Instruction Fuzzy Hash: 19F1F226F08B9289FB208F61E8017FD2764BB09798F444136EE9D977A9DFBC9641D340

Function 00007FF63B8EA9F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF63B8EAB0B

Strings

Address %p has no image-section, xrefs: 00007FF63B8EAA62, 00007FF63B8EABB5
Mingw-w64 runtime failure:, xrefs: 00007FF63B8EAA27
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF63B8EABA1
VirtualProtect failed with code 0x%x, xrefs: 00007FF63B8EAB7E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 0f8ee5c3b07aa3015d91298761b1289a543a31721db7804d6ca8c886fee2c95b
Instruction ID: e35737395192804eaffcc7b60e0505729cc7316b879709d3fa1dd94bb8624ebc
Opcode Fuzzy Hash: 0f8ee5c3b07aa3015d91298761b1289a543a31721db7804d6ca8c886fee2c95b
Instruction Fuzzy Hash: 0B51D032A08A4682EA109B11E8406FD77A1FF8DB94F845131EE8E873B4EF3CE581D740

Function 00007FF63B88C760 Relevance: 12.1, APIs: 8, Instructions: 127fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF63B88C79D
WriteFileEx.KERNEL32 ref: 00007FF63B88C84C
SleepEx.KERNEL32 ref: 00007FF63B88C86A
GetLastError.KERNEL32 ref: 00007FF63B88C8CF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B854015), ref: 00007FF63B88C904
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B854015), ref: 00007FF63B88C90C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B854015), ref: 00007FF63B88C972
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B854015), ref: 00007FF63B88C97A

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$ErrorFileLastSleepWritememset
String ID:
API String ID: 2935194761-0
Opcode ID: 5e261e4be4b7c29f38b8bf04ea2ed30613187c6286a186661ab4f3539da0a9a9
Instruction ID: 074612bbaa589161e1e3d10a877be9b9c62efcd367668b15c86a5ab02f8b192c
Opcode Fuzzy Hash: 5e261e4be4b7c29f38b8bf04ea2ed30613187c6286a186661ab4f3539da0a9a9
Instruction Fuzzy Hash: 5751A122A08AC685E7319B2198017FE2290FF4C7D8F545131DEDD8BBE9DF7CA186A740

Function 00007FF63B877510 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF63B87763A
GetEnvironmentVariableW.KERNEL32 ref: 00007FF63B87764C
GetLastError.KERNEL32 ref: 00007FF63B877658
GetLastError.KERNEL32 ref: 00007FF63B877671

Strings

environment variable not foundenvironment variable was not valid unicode: , xrefs: 00007FF63B877895

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: environment variable not foundenvironment variable was not valid unicode:
API String ID: 2691138088-3632183283
Opcode ID: b98d200d987c2c93988564ca019bb7daa516f01dd3a31fefd1ac489696806e8e
Instruction ID: d5374c8b656d05248c4cee8f6bd3cf33842ac6f6d65fc757479eea94d4cb9d96
Opcode Fuzzy Hash: b98d200d987c2c93988564ca019bb7daa516f01dd3a31fefd1ac489696806e8e
Instruction Fuzzy Hash: B9A18D66B04AD289EB319F25D8453ED2364FB08B8CF044136DE9C9BBA9DF78D281D340

Function 00007FF63B8EA360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF63B8EA3F2
RtlUnwindEx.KERNEL32 ref: 00007FF63B8EA42F
abort.MSVCRT ref: 00007FF63B8EA435
RaiseException.KERNEL32 ref: 00007FF63B8EA472
abort.MSVCRT ref: 00007FF63B8EA487

Strings

CCG , xrefs: 00007FF63B8EA46D

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID: CCG
API String ID: 4122134289-1584390748
Opcode ID: fa4197c93fc63c602591c23bd2b149e4bf5c4b3e4635d0dc6cf042b1eb1ab0c0
Instruction ID: 67e3c1422a3f371ed00347ce18fe096e75f38738882065b4ee844d64eae84961
Opcode Fuzzy Hash: fa4197c93fc63c602591c23bd2b149e4bf5c4b3e4635d0dc6cf042b1eb1ab0c0
Instruction Fuzzy Hash: 4C314F72A08B8586E7209F24E4403A9B770FBDD788F50A226EACD53779DF79D195CB00

Function 00007FF63B8A47A0 Relevance: 9.2, APIs: 6, Instructions: 155fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FF63B8A496A
MapViewOfFile.KERNEL32 ref: 00007FF63B8A498A
CloseHandle.KERNEL32 ref: 00007FF63B8A4995
CloseHandle.KERNEL32 ref: 00007FF63B8A49BE
GetLastError.KERNEL32 ref: 00007FF63B8A49C5
CloseHandle.KERNEL32 ref: 00007FF63B8A49F1

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$File$CreateErrorLastMappingView
String ID:
API String ID: 2116955982-0
Opcode ID: 9252a8afeb1f30eb626360f51b521bd483510a4a74b3c0a8a495604f82ab29b1
Instruction ID: b0e02ca820a0e8971910faffe9320bb504582d9461f64c0ca73a0f109a34a9a3
Opcode Fuzzy Hash: 9252a8afeb1f30eb626360f51b521bd483510a4a74b3c0a8a495604f82ab29b1
Instruction Fuzzy Hash: EC61AE22A08B8189FB619F65E4453FD67A0FB88398F184134EECD42BA5EF7CE195D740

Function 00007FF63B88E5B0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 265COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF63B88E84E

Strings

Box<dyn Any>aborting due to panic at , xrefs: 00007FF63B88E648
main, xrefs: 00007FF63B88E7D1
<unnamed>, xrefs: 00007FF63B88E6DC, 00007FF63B88E7E2
cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs, xrefs: 00007FF63B88E924

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: AddressSingleWake
String ID: <unnamed>$Box<dyn Any>aborting due to panic at $cannot access a Thread Local Storage value during or after destructionlibrary\std\src\thread\local.rs$main
API String ID: 3114109732-1706025368
Opcode ID: 8085ea7aae40658ce346d6001ccfa5f99530c5a55c32b269bc0a9d9c23817a30
Instruction ID: 0ef8504a00d6a63f9c64e3d87697ee8c4371ea02c8b768a06436adc654c4c3c6
Opcode Fuzzy Hash: 8085ea7aae40658ce346d6001ccfa5f99530c5a55c32b269bc0a9d9c23817a30
Instruction Fuzzy Hash: B0C19F22A09A4A86FB219B20E4403BC27A0EF5D749F480536DACDC77E5DF3CE555E382

Function 00007FF63B8A9800 Relevance: 8.9, APIs: 7, Instructions: 149COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A9824
TlsGetValue.KERNEL32(00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A9887
TlsSetValue.KERNEL32(00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A9897
TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A9922
TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A9946
TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A999C
TlsSetValue.KERNEL32(?,?,?,?,?,00000000,?,?,00007FF63B88EE11,?,?,?,?,?,00007FF63B88E29F), ref: 00007FF63B8A99A9

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9855c9a8d4bb63fe92913d480e523f0e464f9d2a7bfa59f23a0aa18dc8171208
Instruction ID: 851f5f36e13b438447e258b98ae60a5e33c7035cbc0d07d4673d84c12ad2aacb
Opcode Fuzzy Hash: 9855c9a8d4bb63fe92913d480e523f0e464f9d2a7bfa59f23a0aa18dc8171208
Instruction Fuzzy Hash: E251F422F0C6A646FA559B15854037DA791AF8DB80F488035DECDD77E2EE3DE843A740

Function 00007FF63B8EABD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF63BB00190,00007FF63BB00198,00000001,?,?,?,?,?,00007FF63B851224,?,?,?,00007FF63B8513E6), ref: 00007FF63B8EADAD

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF63B8EAF1A
Unknown pseudo relocation protocol version %d., xrefs: 00007FF63B8EAF26
Unknown pseudo relocation bit size %d., xrefs: 00007FF63B8EAF04

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 83b30d1ee4ab03ffbf7fdbd125f40f7ef3244a665f0a527f671ebf7a4aa69859
Instruction ID: 85fab374641a4619306459b554e8c4832fcfa319ca1af5f92d607f486ef1acba
Opcode Fuzzy Hash: 83b30d1ee4ab03ffbf7fdbd125f40f7ef3244a665f0a527f671ebf7a4aa69859
Instruction Fuzzy Hash: F091B436F0855786EA109B24D9402FD6291BF6DF64F54A231DDAE977F8DF3CE842A200

Function 00007FF63B8A38C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF63B8A98CE,00000000,?,?), ref: 00007FF63B8A3903
InitOnceComplete.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF63B8A98CE,00000000,?,?), ref: 00007FF63B8A394E

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF63B8A3B8E
assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs, xrefs: 00007FF63B8A3B76

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: AllocCompleteInitOnce
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs
API String ID: 622421136-513854611
Opcode ID: 74a2feb1e0133fab3b64d0fbefa5beeee472e55baf4a25a0c49fef12cb0e5819
Instruction ID: e2d644d2cfb288a235c47aaace65c64332cb98b522c819ac11f040b8580995fa
Opcode Fuzzy Hash: 74a2feb1e0133fab3b64d0fbefa5beeee472e55baf4a25a0c49fef12cb0e5819
Instruction Fuzzy Hash: F691AE22E046529AE710DF65E8407BD77B0FB48758F588036EE8D93BA4EF38E685D740

Function 00007FF63B8A9E60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF63B8EA34B

Strings

CCG , xrefs: 00007FF63B8EA346
TSUR, xrefs: 00007FF63B8A9F04
TSUR, xrefs: 00007FF63B8A9E75

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID: CCG $TSUR$TSUR
API String ID: 3997070919-4029986600
Opcode ID: 55554e98c817c919e66f2176ec202432409698ea6d5477c8f486d316a8577e33
Instruction ID: cf4cb5ec7b3eceeede2d5f10d5b180e82839d87d6fc25d2794a32ad82c59fc97
Opcode Fuzzy Hash: 55554e98c817c919e66f2176ec202432409698ea6d5477c8f486d316a8577e33
Instruction Fuzzy Hash: F731AF22E29E8582E6149B55D8102B82760FFDDB44F459235EE8D437A1EF38E6E6D700

Function 00007FF63B8891B0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 307COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63B889214
memcpy.MSVCRT ref: 00007FF63B8892F4
memcpy.MSVCRT ref: 00007FF63B8894E2

Part of subcall function 00007FF63B8C76F0: memcpy.MSVCRT ref: 00007FF63B8C787F

Strings

assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FF63B88933A

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: is_code_point_boundary(self, new_len)
API String ID: 3510742995-9383156
Opcode ID: 1d0b013b8046f6d0eb259ed9b4451d8bc8ee81aa73246cccc4a6afee629d43be
Instruction ID: a279247b6fa9d5b78f02f42a2b630d33b4b150f136149a1eaabcc4de34a1a2d0
Opcode Fuzzy Hash: 1d0b013b8046f6d0eb259ed9b4451d8bc8ee81aa73246cccc4a6afee629d43be
Instruction Fuzzy Hash: B2B1D552F08A9646FB019B6698002FD6761BF5DBC8F089431DE9D977A6DF3CE582E300

Function 00007FF63B89E240 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF63B89E263
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF63B89E27B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF63B89E519

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF63B89E4B7

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: Handle$CloseErrorLast
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 2105119405-2333694755
Opcode ID: 39a5bb1c39b83257ccc83678f5f6990cd6defe40eed6e8da5e5d891a8f5f991d
Instruction ID: ada9665c8f449559f3072c7adcb6fefaba8ec72e034daf5d78948be217db0a54
Opcode Fuzzy Hash: 39a5bb1c39b83257ccc83678f5f6990cd6defe40eed6e8da5e5d891a8f5f991d
Instruction Fuzzy Hash: 6A81C261E08A8A94FF108B60D5407FD3B61AF09798F449036DECD97BA9DE7CA199E340

Function 00007FF63B8983B0 Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B855FA4), ref: 00007FF63B898402
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B855FA4), ref: 00007FF63B898470
CompareStringOrdinal.KERNEL32 ref: 00007FF63B898549
GetLastError.KERNEL32 ref: 00007FF63B89855E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CompareOrdinalString
String ID:
API String ID: 2075851353-0
Opcode ID: b0b56f287cf12bc41f5206061b418a6344d8f4324afc95b77524bb8d933cfb00
Instruction ID: 5851ee00ced4b69dcbd31adbcc946d1fa24ce19e8e40f3ba4290874d3b071892
Opcode Fuzzy Hash: b0b56f287cf12bc41f5206061b418a6344d8f4324afc95b77524bb8d933cfb00
Instruction Fuzzy Hash: FF51AF22B09B468AEB109B61D8103FC37A4FB88B88F144531DECD877A6DF7CE5419340

Function 00007FF63B8524D2 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B85251E
CoTaskMemFree.OLE32 ref: 00007FF63B85252C
lstrlenW.KERNEL32 ref: 00007FF63B852540

Part of subcall function 00007FF63B884EC0: memcpy.MSVCRT ref: 00007FF63B884F4B

CoTaskMemFree.OLE32 ref: 00007FF63B85255A

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlenmemcpy
String ID:
API String ID: 578397516-0
Opcode ID: 7aaa3a6036295c4da0237f3515f55e3984e5c2c7d645d4990d94ef2000d5c188
Instruction ID: c92ad3e48839569dcaf43561a8bca0c19ccfa5de9671ca25276a66b11874410e
Opcode Fuzzy Hash: 7aaa3a6036295c4da0237f3515f55e3984e5c2c7d645d4990d94ef2000d5c188
Instruction Fuzzy Hash: 42018416B1855241FB20EA56A0513BE9751AFCCBD0F088131EECD87B76DD7CD2429B00

Function 00007FF63B852880 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B8528A2
CoTaskMemFree.OLE32 ref: 00007FF63B8528B0
lstrlenW.KERNEL32 ref: 00007FF63B8528C4
CoTaskMemFree.OLE32 ref: 00007FF63B8528DE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 834b85390a2a52c17501fea409be2a3b07a5646b0cb1e4d732b6bbcfa62fa94a
Instruction ID: 973d9d1620dfa30a4a7b49264bc67190a1b608bb0023c74f382da712f9e38265
Opcode Fuzzy Hash: 834b85390a2a52c17501fea409be2a3b07a5646b0cb1e4d732b6bbcfa62fa94a
Instruction Fuzzy Hash: 5EF03011A1861340FB20EB55A4413BA53519FCC7A4F444131EACDCA7B6DEBCD642A700

Function 00007FF63B852810 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852832
CoTaskMemFree.OLE32 ref: 00007FF63B852840
lstrlenW.KERNEL32 ref: 00007FF63B852854
CoTaskMemFree.OLE32 ref: 00007FF63B85286E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 1a37300bd131dc23e13f186324e8fe623e27db6c85b2d96cdfdefd2b82f4ee29
Instruction ID: 72084c92235780b82de4d2bc8634cc49e800cbd5f4ca7aeb7447cd8022a8d861
Opcode Fuzzy Hash: 1a37300bd131dc23e13f186324e8fe623e27db6c85b2d96cdfdefd2b82f4ee29
Instruction Fuzzy Hash: 7FF03011A1861340FB20EB55A4513BE53519FCC7E4F484131EACDCA776DDBCD643A744

Function 00007FF63B8527A0 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B8527C2
CoTaskMemFree.OLE32 ref: 00007FF63B8527D0
lstrlenW.KERNEL32 ref: 00007FF63B8527E4
CoTaskMemFree.OLE32 ref: 00007FF63B8527FE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 4b07427487f9f5671e3f5a8e3242b3511b709b45330fc3765a708aefb1ff3b8f
Instruction ID: b06954517cf01b69d360ec5d62d8a41fdbc80c940677eca888254f0a0d75dda9
Opcode Fuzzy Hash: 4b07427487f9f5671e3f5a8e3242b3511b709b45330fc3765a708aefb1ff3b8f
Instruction Fuzzy Hash: A0F03011A1861340FB20EB65A4517BE53519FCC7E4F444131EACDCA776DDBCD6429710

Function 00007FF63B8526C0 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B8526E2
CoTaskMemFree.OLE32 ref: 00007FF63B8526F0
lstrlenW.KERNEL32 ref: 00007FF63B852704
CoTaskMemFree.OLE32 ref: 00007FF63B85271E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 38880fc186ab7fb8c80efdf4ebed188d508917ee0f83da720245019297b80da0
Instruction ID: 7a676f977c618ea83019b25057d3fb9a492020131edefbe088ae1e708e6f614f
Opcode Fuzzy Hash: 38880fc186ab7fb8c80efdf4ebed188d508917ee0f83da720245019297b80da0
Instruction Fuzzy Hash: 19F03011A1861380FB20EB15A4513BE53519FCC7E4F445131EACDCA776DEBCD6439B00

Function 00007FF63B852730 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852752
CoTaskMemFree.OLE32 ref: 00007FF63B852760
lstrlenW.KERNEL32 ref: 00007FF63B852774
CoTaskMemFree.OLE32 ref: 00007FF63B85278E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: b8123952433213a2fb5bdf11f8dfb75bcfe2116d30493f6e2413c1214eaf569f
Instruction ID: 9e0db66e6887dbb85af6b3a79ce9b74b22534eea260c8ebc86d3256b949e3cd5
Opcode Fuzzy Hash: b8123952433213a2fb5bdf11f8dfb75bcfe2116d30493f6e2413c1214eaf569f
Instruction Fuzzy Hash: FAF03011A1861380FB20EB15A4513BE53519FCCBA4F484131EACDCA776DDBCD6429B40

Function 00007FF63B852650 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852672
CoTaskMemFree.OLE32 ref: 00007FF63B852680
lstrlenW.KERNEL32 ref: 00007FF63B852694
CoTaskMemFree.OLE32 ref: 00007FF63B8526AE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 560f5d9deb538c48138e62087de6bb89012e4bf62134e081db744dc6489cff75
Instruction ID: 6336382073de32e011f5a435e139c6284f8956cb7b29de93c85d8a3752ab069f
Opcode Fuzzy Hash: 560f5d9deb538c48138e62087de6bb89012e4bf62134e081db744dc6489cff75
Instruction Fuzzy Hash: CDF03011A1865340FB20EB15A4413BE63519FCC7A4F444131EACDCA776DDBCD6429B04

Function 00007FF63B8529D0 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B8529F2
CoTaskMemFree.OLE32 ref: 00007FF63B852A00
lstrlenW.KERNEL32 ref: 00007FF63B852A14
CoTaskMemFree.OLE32 ref: 00007FF63B852A2E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 765b14d324591dd7dbb5c9e4810704154203ed939c8c401d4fafe383fe45e140
Instruction ID: 1c68893741f9cc8f31010a590879615dc07fd0ce850b64506ef2b3fb808e372c
Opcode Fuzzy Hash: 765b14d324591dd7dbb5c9e4810704154203ed939c8c401d4fafe383fe45e140
Instruction Fuzzy Hash: 8EF03011A1C61340FB20EB25A4413BA53519FCC7E4F444131EACDCA776DEBCD6429740

Function 00007FF63B8525E0 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852602
CoTaskMemFree.OLE32 ref: 00007FF63B852610
lstrlenW.KERNEL32 ref: 00007FF63B852624
CoTaskMemFree.OLE32 ref: 00007FF63B85263E

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 84f1200789b04fe27f2d92febaec53b88600580e2f6059874441b250b3ade91e
Instruction ID: 5cc9be060508fbcb5babc06b18e1d4fe65d4638205a1e023e0684bfae3e3f7cd
Opcode Fuzzy Hash: 84f1200789b04fe27f2d92febaec53b88600580e2f6059874441b250b3ade91e
Instruction Fuzzy Hash: D7F03011A1861340FB20EB15A4413BE53519FCC7A4F444131EACDCA776DEBCD6429B40

Function 00007FF63B852570 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852592
CoTaskMemFree.OLE32 ref: 00007FF63B8525A0
lstrlenW.KERNEL32 ref: 00007FF63B8525B4
CoTaskMemFree.OLE32 ref: 00007FF63B8525CE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: 817e1a30eac86eb090f9994de4614a9dca034a291c50cf07ead52d7b09f5d258
Instruction ID: 15d69ece1cd6353b948fe7e690808acd25dbefa326b25d666b03cca52de4aae3
Opcode Fuzzy Hash: 817e1a30eac86eb090f9994de4614a9dca034a291c50cf07ead52d7b09f5d258
Instruction Fuzzy Hash: 3AF03011A1861340FB20EB15A4513BE63519FCC7A4F444131EACECA776DDBCD6429700

Function 00007FF63B852960 Relevance: 6.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF63B852982
CoTaskMemFree.OLE32 ref: 00007FF63B852990
lstrlenW.KERNEL32 ref: 00007FF63B8529A4
CoTaskMemFree.OLE32 ref: 00007FF63B8529BE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: FreeTask$FolderKnownPathlstrlen
String ID:
API String ID: 885572716-0
Opcode ID: d57d2c2b6a1d29a790100084cf7766824a511902db7252e25419bc630e94d805
Instruction ID: 70dc821fbf02d155dabb06a0b36ddf3224be54dac4d3a1c5ca941774c95b4cc9
Opcode Fuzzy Hash: d57d2c2b6a1d29a790100084cf7766824a511902db7252e25419bc630e94d805
Instruction Fuzzy Hash: 28F03A12A1861741FB20EB25A4417BE63519FCCBA4F485131EACDCABB6DEBCD642A704

Function 00007FF63B8A9ED0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF63B8EA34B

Strings

CCG , xrefs: 00007FF63B8EA346
TSUR, xrefs: 00007FF63B8A9F04

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID: CCG $TSUR
API String ID: 3997070919-2088351922
Opcode ID: b7f37dd155eb697baee4333a51d4510cfa74eab51422b6cc498573e7c8516b16
Instruction ID: 4d874049215acbcf9846915bd8f42ea2ec2f8cd06558871dce208f4822504463
Opcode Fuzzy Hash: b7f37dd155eb697baee4333a51d4510cfa74eab51422b6cc498573e7c8516b16
Instruction Fuzzy Hash: 3D419D26F18A458AE7109B61E8503FC6764FB8CB84F548236EE8D537A5DF38E196D700

Function 00007FF63B8A3410 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00007FF63B88E352), ref: 00007FF63B8A348E
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF63B88E352), ref: 00007FF63B8A34E9

Strings

assertion failed: is_unlocked(state), xrefs: 00007FF63B8A34B6

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: AddressSingleValueWake
String ID: assertion failed: is_unlocked(state)
API String ID: 741412973-3502192491
Opcode ID: 48f02ea38cc05c9d20fea00dddac4e8405406d7ae0167d4f862429d908957722
Instruction ID: 4c6ff50938c671096ec5543ff9ac5768abc37055bf4174f6e196d6bdc5f467ce
Opcode Fuzzy Hash: 48f02ea38cc05c9d20fea00dddac4e8405406d7ae0167d4f862429d908957722
Instruction Fuzzy Hash: A7218F22F0A4168AFB66961654003B953959FDD728F24C035DE8D867E4DD3DE983AB80

Function 00007FF63B8A9C10 Relevance: 5.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF63B8A9C32
TlsGetValue.KERNEL32 ref: 00007FF63B8A9C93
TlsSetValue.KERNEL32 ref: 00007FF63B8A9CA3
TlsGetValue.KERNEL32 ref: 00007FF63B8A9CF2

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 68c9786fa88d8909b0327f2257ec91d1b152c0c4b7abb8785313471917f74c89
Instruction ID: abadfe5c8c7c8263197c5af0dedb5562d7b44eac97f84a4c0e1904f5bd38a5c3
Opcode Fuzzy Hash: 68c9786fa88d8909b0327f2257ec91d1b152c0c4b7abb8785313471917f74c89
Instruction Fuzzy Hash: E831CD22F0DA1642FA555B1595403BC6394AF8CB80F084435DECEC77F2EE7CE842A740

Function 00007FF63B8A99F0 Relevance: 5.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF63B88EE11), ref: 00007FF63B8A9A12
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF63B88EE11), ref: 00007FF63B8A9A73
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF63B88EE11), ref: 00007FF63B8A9A83
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF63B88EE11), ref: 00007FF63B8A9AD2

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a4f0b2c96a2fed1340fdf17c3893d7c3d2c3731174bfdde67e07d3523745b4ed
Instruction ID: ee097a985fa404895ca35f6004177298b9dbc851e5a6d463ef9092ac8a2e393c
Opcode Fuzzy Hash: a4f0b2c96a2fed1340fdf17c3893d7c3d2c3731174bfdde67e07d3523745b4ed
Instruction Fuzzy Hash: 3B317C22F1D62246FA559A1595103BD6390AF8CB80F488436DECDC77E6DE7CF942A740

Function 00007FF63B8A9B20 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF63B8A9B42
TlsGetValue.KERNEL32 ref: 00007FF63B8A9B98
TlsSetValue.KERNEL32 ref: 00007FF63B8A9BA8
TlsGetValue.KERNEL32 ref: 00007FF63B8A9BE1

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a29ce489d6a994ba7e83554d514073fc3469352818fdb9668abb352a044f86ed
Instruction ID: 17e65560df409a2470e0f9433723f2dc587e6f86048e0c0394ffcd0dedb0b673
Opcode Fuzzy Hash: a29ce489d6a994ba7e83554d514073fc3469352818fdb9668abb352a044f86ed
Instruction Fuzzy Hash: D8217C21F0D66646EB556B1585403BCA795AF8CB80F488835DECDC77E2DE7CE8436B40

Function 00007FF63B8556A0 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF63B8556B7
CloseHandle.KERNEL32 ref: 00007FF63B8556BF
CloseHandle.KERNEL32 ref: 00007FF63B8556CE
CloseHandle.KERNEL32 ref: 00007FF63B8556DE

Memory Dump Source

Source File: 00000000.00000002.2112024096.00007FF63B851000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63B850000, based on PE: true

Associated: 00000000.00000002.2112005881.00007FF63B850000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112130696.00007FF63B8EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63B8ED000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112148317.00007FF63BAF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112776811.00007FF63BB01000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112790932.00007FF63BB02000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2112804968.00007FF63BB05000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63b850000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6bd6caac4ad39668e3387a6095ec1d3a85d28f6c2940c8a041fab7740e11b7ee
Instruction ID: 01a1abf3bc6852c52dd7818db6bb7fa41150f99f8530ccb4b684f294eee36473
Opcode Fuzzy Hash: 6bd6caac4ad39668e3387a6095ec1d3a85d28f6c2940c8a041fab7740e11b7ee
Instruction Fuzzy Hash: F5F0FF16A1954282EB359A96E4463BD5360EB89794F485031DFCE877E1CFBCE8C7D304

Analysis Process: calibre.exePID: 5644, Parent PID: 3064COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64%
Total number of Nodes:	25
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000B108C Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,000B3010,00000104,00000000,000B1274), ref: 000B109A
wsprintfW.USER32 ref: 000B10FC
SetDllDirectoryW.KERNEL32(000B3010), ref: 000B1106
LoadLibraryW.KERNEL32(ucrtbase.dll), ref: 000B1128
LoadLibraryW.KERNELBASE(calibre-launcher.dll), ref: 000B113A
GetProcAddress.KERNEL32(00000000,execute_python_entrypoint), ref: 000B1158
GetProcAddress.KERNEL32(simple_print), ref: 000B1175

Strings

Executable path has no path separators, xrefs: 000B10D7
Unable to find ucrtbase.dll. You should install all Windows updates on your computer to get this file., xrefs: 000B112E
Failed to set DLL directory, xrefs: 000B1110
calibre-launcher.dll, xrefs: 000B1135
ucrtbase.dll, xrefs: 000B1123
execute_python_entrypoint, xrefs: 000B1152
Failed to load: calibre-launcher.dll, xrefs: 000B1145
Installation directory path too long, xrefs: 000B10AE
Failed to get the calibre-launcher dll entry point, xrefs: 000B1163
app\bin, xrefs: 000B10F1
simple_print, xrefs: 000B116A

Memory Dump Source

Source File: 00000004.00000002.2250328543.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000004.00000002.2250303346.00000000000B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250351841.00000000000B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250377976.00000000000B4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0000_calibre.jbxd

Similarity

API ID: AddressLibraryLoadProc$DirectoryFileModuleNamewsprintf
String ID: Executable path has no path separators$Failed to get the calibre-launcher dll entry point$Failed to load: calibre-launcher.dll$Failed to set DLL directory$Installation directory path too long$Unable to find ucrtbase.dll. You should install all Windows updates on your computer to get this file.$app\bin$calibre-launcher.dll$execute_python_entrypoint$simple_print$ucrtbase.dll
API String ID: 3608902576-1364716815
Opcode ID: 7bd9e50051d14a44e9aa4d446635c80fecba28635742fb73acb8f73d7dc7dcc5
Instruction ID: 93b63e6f770329f836d568fb4f51ba8ac3b8e23c2898ef9777b575d1a2c2b333
Opcode Fuzzy Hash: 7bd9e50051d14a44e9aa4d446635c80fecba28635742fb73acb8f73d7dc7dcc5
Instruction Fuzzy Hash: 46117D30A7831575FA64776D7C3BFDA2A986F11B40F500A22F700F90E2E6D8D890D745

Function 000B126C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000B108C: GetModuleFileNameW.KERNEL32(00000000,000B3010,00000104,00000000,000B1274), ref: 000B109A

FreeLibrary.KERNELBASE(?), ref: 000B129F
ExitProcess.KERNEL32 ref: 000B12AD

Strings

calibre.gui_launch, xrefs: 000B1285
calibre, xrefs: 000B127F, 000B1284, 000B128A

Memory Dump Source

Source File: 00000004.00000002.2250328543.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000004.00000002.2250303346.00000000000B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250351841.00000000000B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250377976.00000000000B4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0000_calibre.jbxd

Similarity

API ID: ExitFileFreeLibraryModuleNameProcess
String ID: calibre$calibre.gui_launch
API String ID: 2405871167-4149245690
Opcode ID: 3ab5895ce043cf68a5fe6e807e059f74a2ac8deac134fb895e4b8454904db074
Instruction ID: 1f8c827e3d9e15603d2a2a9da05810c30433de5bb6bb5337c83ff1febec7afcd
Opcode Fuzzy Hash: 3ab5895ce043cf68a5fe6e807e059f74a2ac8deac134fb895e4b8454904db074
Instruction Fuzzy Hash: 7BE0863063422067F7287B74DC29FE737D8AF01B01F500214B505EA1A1C6ADEA6087E5

Non-executed Functions

Function 000B121C Relevance: 4.5, APIs: 3, Instructions: 33
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,7591F550,?,?,000B111A,Failed to get the calibre-launcher dll entry point), ref: 000B1227
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,7591F550,?,?,000B111A,Failed to get the calibre-launcher dll entry point), ref: 000B1241

Part of subcall function 000B11A5: LocalAlloc.KERNEL32(00000040,00000000,000B3010,?,000B10E1,Executable path has no path separators,000B2040,00000001), ref: 000B11C9
Part of subcall function 000B11A5: MessageBoxW.USER32(00000000,?,00000000,00000010), ref: 000B11DC

LocalFree.KERNEL32(?,?,000B111A,Failed to get the calibre-launcher dll entry point), ref: 000B1260

Memory Dump Source

Source File: 00000004.00000002.2250328543.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000004.00000002.2250303346.00000000000B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250351841.00000000000B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250377976.00000000000B4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0000_calibre.jbxd

Similarity

API ID: LocalMessage$AllocErrorFormatFreeLast
String ID:
API String ID: 1114563587-0
Opcode ID: 97765442c21eb78b54dcc0915ea331e03d9c1202d4bf884d2abcb3c0db65e589
Instruction ID: 802d60f78c682e016a8cf9857840fcdec08a3c3a1be083b0c2d95792548fcbbc
Opcode Fuzzy Hash: 97765442c21eb78b54dcc0915ea331e03d9c1202d4bf884d2abcb3c0db65e589
Instruction Fuzzy Hash: 79F01272901118FBEB116B96DD09DDFBEBCEF85791B100165F605A2161D6714F10D7A0

Function 000B11A5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,00000000,000B3010,?,000B10E1,Executable path has no path separators,000B2040,00000001), ref: 000B11C9
MessageBoxW.USER32(00000000,?,00000000,00000010), ref: 000B11DC
MessageBeep.USER32(00000010), ref: 000B11E4
wsprintfW.USER32 ref: 000B11F9
MessageBoxW.USER32(00000000,00000000,00000000,00000010), ref: 000B1209
LocalFree.KERNEL32(00000000), ref: 000B1210

Strings

%s %s (Error Code: %d), xrefs: 000B11F3

Memory Dump Source

Source File: 00000004.00000002.2250328543.00000000000B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000004.00000002.2250303346.00000000000B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250351841.00000000000B2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2250377976.00000000000B4000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b0000_calibre.jbxd

Similarity

API ID: Message$Local$AllocBeepFreewsprintf
String ID: %s %s (Error Code: %d)
API String ID: 827487744-988622853
Opcode ID: a4f3f3d05c701116289ec8a8d161a3c4e6818d3941026bfbd15b8639325fdff1
Instruction ID: 5a6c8f169fa81e5467c1d2cc2415919ca288d9e69ae6146cbf0caac54bb4c17a
Opcode Fuzzy Hash: a4f3f3d05c701116289ec8a8d161a3c4e6818d3941026bfbd15b8639325fdff1
Instruction Fuzzy Hash: 11018172551218FBEB127FA0DC09FDE3FA9EF093A0F404511FF09991A2D6758920DBA5

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\CalibreLauncher.js

C:\Users\Public\Documents\calibre-launcher.dll

C:\Users\Public\Documents\calibre.exe

C:\Users\user\AppData\Local\Temp\246122658369

C:\Users\user\AppData\Local\Temp\WikG.zip

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Calibre.url

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.4266.14577.exe

Function 00007FF63B8517B0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 521
COMMON

Function 00007FF63B851180 Relevance: 10.6, APIs: 7, Instructions: 137
sleepstringCOMMON

Function 00007FF63B8948D0 Relevance: 3.1, APIs: 2, Instructions: 75
filenativesynchronizationCOMMON

Function 00007FF63B891020 Relevance: 7.7, APIs: 5, Instructions: 184
fileCOMMON

Function 00007FF63B8794C0 Relevance: 3.9, APIs: 3, Instructions: 106
COMMON

Function 00007FF63B874B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
threadCOMMON

Function 00007FF63B8528F0 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00007FF63B893220 Relevance: 1.4, APIs: 1, Instructions: 142
COMMON

Function 00007FF63B8912C0 Relevance: 1.3, APIs: 1, Instructions: 69
COMMON